[BlueOnyx:11619] Re: Logwatch question

Gerald Waugh gwaugh at frontstreetnetworks.com
Fri Oct 26 18:50:00 -05 2012 

On 10/26/2012 03:56 PM, George F. Nemeyer wrote:
> On Fri, 26 Oct 2012, Gerald Waugh wrote:
>
>>> It was suggested to me that this may show someone was trying to use my
>>> server for a DDOS attack on someone else.  The list of URLS involved
>>> is stunning.
> We have a couple of our nameservers getting constantly pounded, one
> steadily for over a month now 'from' 108.162.207.5.  Often the DNS
> requests are in a continuous stream amounting to 12-16kbps...not enough to
> raise alarms on a busy server, but enough to create a signicant outbound
> reply hits back to the forged IP target victim, especially if
> hundreds/thousands of DNS servers are used as amplifying reflectors.  The
> DNS queries are mosty "ANY?" requests for a random hostname.
>
> Since the traffic coming to the nameserver is UDP with forged source
> addresses of intended victims, there's little to do but block (or not
> respond to) the traffic, as you can't tell where it's really coming from.
> Your upstream ISP *should* be doing some edge filtering as well.
>
>>> Perhaps someone has a suggestion on what to do?
> This sort of problem is growing.  There's some 'bind' rate-limiting
> patches that may help (done by Paul Vixie, author of bind), and they may
> become standard in later releases.  See
> http://www.redbarn.org/dns/ratelimits.
>
>> Not sure this is the best answer, But here is our solution
>> if your ISP provides nameservers, then only allow your nameservers to
>> respond for queries for domains it is responsible for.
> And limit recursion to only those hosts on your network, or those you
> specifically trust and want/need to serve recursively.
>
>> Make sure your server is setup to use your isp nameservers, in System
>> Management ->  TCP/IP
>>
>> In /etc/maned.conf
>>       options {
>>     recursion no;
>> };
> I presume this is only for the LION nameserver, not for bind.  :)
>
> Likewise, limit Zone transfers, or other types of requests that would
> generate 'large' answers to your own network and those servers (like
> slaves) that may need to get entire zones from you.
>
> You can specifiy recursion and zone transfers inside BX under
>
>     Server Management ->  Network Services ->  DNS ->  Advanced
>
> I think no recursion is *supposed* be the default in BX, though the
> auto-generated named.conf is a bit ambiguous on this (I think the handler
> has a bug).
>
> There's a line reading:  "// recursion allowed" even with no recursion IPs
> specified.  Example from named.conf with nothing specified:
>
>    options {
>      directory "/var/named";
>      // spoof version for a little more security via obscurity
>      version "100.100.100";
>      // no forwarders defined
>      // zone transfer access denied
>      allow-transfer { none; };
>      // recursion access denied
>                                          <--- an actual blank line
>      // recursion allowed<--- Supposedly not true
>    };
>
> With some transfers and recursion manually entered into the GUI, you get:
>
>    options {
>      directory "/var/named";
>      // spoof version for a little more security via obscurity
>      version "100.100.100";
>      // no forwarders defined
>      allow-transfer { 98.100.9.16; 98.100.9.20; };
>      allow-recursion { 98.100.9.0/27; };
>      // recursion allowed<--- Still there, now redundant
>    };
>
>
> Note that the zone transfer section appears to act as expected, though it
> insists on individual IPs and won't accept a /xx mask, while recursion
> does.
>
> It would be nice if the ambiguity was cleaned up.
>
> Also:
>
> We're using a really nifty little unix uitility called 'iftop' which can
> identify who's hitting your server and what service they're requesting.
> It's in the yum repository.  This can help spot attackers by watching
> connections in real time.  Also, another utility called 'iptraf' can help
> spot those IPs flooding UDP packets in to the nameserver, as well as let
> you grab and examine the packets you're getting. 'tcpdump' is also good
> for seeing the packet content.
>
> Once you've identified the bad IPs, toss them (or the entire netblocks)
> into an iptables DROP with
>
>            iptables -A INPUT -s<badip/mask>  -j DROP
>
> Doing this at your edge/gateway router will keep the machines behind it
> from seeing anything.  If the block is done on a particular machine
> itself, inbound attack traffic into your network will still happen, but
> the will be no outbound responses back to the target IP (which is what
> they're trying use you to generate).
>
> The ultimate answer, I think, will be bind becoming more resistant thus
> and making such attacks not worth launching in the first place.
>
> =^_^=  Tigerwolf
>
I have used this on several servers and it works, the gui does not help, 
tried it.

In /etc/maned.conf
      options {
    recursion no;
};


-- 
Gerald

More information about the Blueonyx mailing list