[BlueOnyx:12636] Re: DNS Spamming

Colin Jack colin at mainline.co.uk
Fri Mar 29 08:08:32 -05 2013 

Thank you ... 

Colin

> You may have been a unwitting part  of this:
> 
> http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
> 
> In Blue Quartz/Blue Onyx, under Network Service/DNS/Advanced, there's
> a checkbox labeled "Cache Record Lookups".  This sounds like it might be a
> good thing, but what it's really doing is telling the DNS server to "Allow
> Recursion" if checked.
> 
> Allowing recursion to *anyone* opens the server up to be a prime candidate
> for use in a DNS amplification DDoS attack, precisely what the article
> describes.
> 
> To prevent this, be sure you list *ONLY* IPs/networks the server NEEDS to
> do recursive lookups for in the box: "Query Request Recursion Access by IP
> Address".
> 
> To cloud the issue further, older versions of BIND may be fully open (much
> like being an open mail relay was once consided a Good Thing).  In some
> versions, "localhost; localnets" are the default for which recursion is
> allowed.  In others, the default means anyone.
> 
> Check your BIND version and the actual recursion settings in
> /etc/named.conf.
> 
> The iptables count-then-drop solutions mentioned by others here can help
> mitigate an attack on your server once one begins; but the inbound query
> traffic will still reach the server, even though no outbound response to
> it is generated.
> 
> The problem with this approach is that a single or infrequent probe test
> DNS query by the attacker will get by the counter; and if recursion is
> allowed to external networks, your server would be seen and flagged as a
> good target.  The solution also means that you'd be sending out a few
> 'attack' replies whenever the counter gets reset.  But, if recursion is
> denied by proper BIND configuration, then probe tests will fail every
> time, and hopefully the attacker will leave you alone and go looking
> elsewhere for a vulnerable machine.
> 
> =^_^=  Tigerwolf
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list