[BlueOnyx:12637] Re: DNS Spamming

Joseph Chambers joseph at michael-chambers.com
Fri Mar 29 10:51:21 -05 2013 

yea I was just reading about that here: http://thehackernews.com/2013/03/worlds-biggest-ddos-attack-that-almost.html - stupid kids. 

On Mar 29, 2013, at 6:08 AM, Colin Jack <colin at mainline.co.uk> wrote:

> Thank you ... 
> 
> Colin
> 
>> You may have been a unwitting part  of this:
>> 
>> http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
>> 
>> In Blue Quartz/Blue Onyx, under Network Service/DNS/Advanced, there's
>> a checkbox labeled "Cache Record Lookups".  This sounds like it might be a
>> good thing, but what it's really doing is telling the DNS server to "Allow
>> Recursion" if checked.
>> 
>> Allowing recursion to *anyone* opens the server up to be a prime candidate
>> for use in a DNS amplification DDoS attack, precisely what the article
>> describes.
>> 
>> To prevent this, be sure you list *ONLY* IPs/networks the server NEEDS to
>> do recursive lookups for in the box: "Query Request Recursion Access by IP
>> Address".
>> 
>> To cloud the issue further, older versions of BIND may be fully open (much
>> like being an open mail relay was once consided a Good Thing).  In some
>> versions, "localhost; localnets" are the default for which recursion is
>> allowed.  In others, the default means anyone.
>> 
>> Check your BIND version and the actual recursion settings in
>> /etc/named.conf.
>> 
>> The iptables count-then-drop solutions mentioned by others here can help
>> mitigate an attack on your server once one begins; but the inbound query
>> traffic will still reach the server, even though no outbound response to
>> it is generated.
>> 
>> The problem with this approach is that a single or infrequent probe test
>> DNS query by the attacker will get by the counter; and if recursion is
>> allowed to external networks, your server would be seen and flagged as a
>> good target.  The solution also means that you'd be sending out a few
>> 'attack' replies whenever the counter gets reset.  But, if recursion is
>> denied by proper BIND configuration, then probe tests will fail every
>> time, and hopefully the attacker will leave you alone and go looking
>> elsewhere for a vulnerable machine.
>> 
>> =^_^=  Tigerwolf
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at mail.blueonyx.it
>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list