[BlueOnyx:11617] Re: Logwatch question

George F. Nemeyer tigerwolf at tigerden.com
Fri Oct 26 15:56:51 -05 2012 

On Fri, 26 Oct 2012, Gerald Waugh wrote:

> > It was suggested to me that this may show someone was trying to use my
> > server for a DDOS attack on someone else.  The list of URLS involved
> > is stunning.

We have a couple of our nameservers getting constantly pounded, one
steadily for over a month now 'from' 108.162.207.5.  Often the DNS
requests are in a continuous stream amounting to 12-16kbps...not enough to
raise alarms on a busy server, but enough to create a signicant outbound
reply hits back to the forged IP target victim, especially if
hundreds/thousands of DNS servers are used as amplifying reflectors.  The
DNS queries are mosty "ANY?" requests for a random hostname.

Since the traffic coming to the nameserver is UDP with forged source
addresses of intended victims, there's little to do but block (or not
respond to) the traffic, as you can't tell where it's really coming from.
Your upstream ISP *should* be doing some edge filtering as well.

> > Perhaps someone has a suggestion on what to do?

This sort of problem is growing.  There's some 'bind' rate-limiting
patches that may help (done by Paul Vixie, author of bind), and they may
become standard in later releases.  See
http://www.redbarn.org/dns/ratelimits.

> Not sure this is the best answer, But here is our solution
> if your ISP provides nameservers, then only allow your nameservers to
> respond for queries for domains it is responsible for.

And limit recursion to only those hosts on your network, or those you
specifically trust and want/need to serve recursively.

> Make sure your server is setup to use your isp nameservers, in System
> Management -> TCP/IP
>
> In /etc/maned.conf
>      options {
>    recursion no;
> };

I presume this is only for the LION nameserver, not for bind.  :)

Likewise, limit Zone transfers, or other types of requests that would
generate 'large' answers to your own network and those servers (like
slaves) that may need to get entire zones from you.

You can specifiy recursion and zone transfers inside BX under

   Server Management -> Network Services -> DNS -> Advanced

I think no recursion is *supposed* be the default in BX, though the
auto-generated named.conf is a bit ambiguous on this (I think the handler
has a bug).

There's a line reading:  "// recursion allowed" even with no recursion IPs
specified.  Example from named.conf with nothing specified:

  options {
    directory "/var/named";
    // spoof version for a little more security via obscurity
    version "100.100.100";
    // no forwarders defined
    // zone transfer access denied
    allow-transfer { none; };
    // recursion access denied
                                        <--- an actual blank line
    // recursion allowed                <--- Supposedly not true
  };

With some transfers and recursion manually entered into the GUI, you get:

  options {
    directory "/var/named";
    // spoof version for a little more security via obscurity
    version "100.100.100";
    // no forwarders defined
    allow-transfer { 98.100.9.16; 98.100.9.20; };
    allow-recursion { 98.100.9.0/27; };
    // recursion allowed               <--- Still there, now redundant
  };


Note that the zone transfer section appears to act as expected, though it
insists on individual IPs and won't accept a /xx mask, while recursion
does.

It would be nice if the ambiguity was cleaned up.

Also:

We're using a really nifty little unix uitility called 'iftop' which can
identify who's hitting your server and what service they're requesting.
It's in the yum repository.  This can help spot attackers by watching
connections in real time.  Also, another utility called 'iptraf' can help
spot those IPs flooding UDP packets in to the nameserver, as well as let
you grab and examine the packets you're getting. 'tcpdump' is also good
for seeing the packet content.

Once you've identified the bad IPs, toss them (or the entire netblocks)
into an iptables DROP with

          iptables -A INPUT -s <badip/mask> -j DROP

Doing this at your edge/gateway router will keep the machines behind it
from seeing anything.  If the block is done on a particular machine
itself, inbound attack traffic into your network will still happen, but
the will be no outbound responses back to the target IP (which is what
they're trying use you to generate).

The ultimate answer, I think, will be bind becoming more resistant thus
and making such attacks not worth launching in the first place.

=^_^=  Tigerwolf

More information about the Blueonyx mailing list