[BlueOnyx:12589] Re: DNS Spamming

[George F. Nemeyer]

On Mon, 18 Mar 2013, Will Nordmeyer wrote:

> Last night (actually over the past few days), my server has been
> hammered with DNS requests

You may have been a unwitting part  of this:

http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

In Blue Quartz/Blue Onyx, under Network Service/DNS/Advanced, there's
a checkbox labeled "Cache Record Lookups".  This sounds like it might be a
good thing, but what it's really doing is telling the DNS server to "Allow
Recursion" if checked.

Allowing recursion to *anyone* opens the server up to be a prime candidate
for use in a DNS amplification DDoS attack, precisely what the article
describes.

To prevent this, be sure you list *ONLY* IPs/networks the server NEEDS to
do recursive lookups for in the box: "Query Request Recursion Access by IP
Address".

To cloud the issue further, older versions of BIND may be fully open (much
like being an open mail relay was once consided a Good Thing).  In some
versions, "localhost; localnets" are the default for which recursion is
allowed.  In others, the default means anyone.

Check your BIND version and the actual recursion settings in
/etc/named.conf.

The iptables count-then-drop solutions mentioned by others here can help
mitigate an attack on your server once one begins; but the inbound query
traffic will still reach the server, even though no outbound response to
it is generated.

The problem with this approach is that a single or infrequent probe test
DNS query by the attacker will get by the counter; and if recursion is
allowed to external networks, your server would be seen and flagged as a
good target.  The solution also means that you'd be sending out a few
'attack' replies whenever the counter gets reset.  But, if recursion is
denied by proper BIND configuration, then probe tests will fail every
time, and hopefully the attacker will leave you alone and go looking
elsewhere for a vulnerable machine.

=^_^=  Tigerwolf