Solved

DNS on server 2008 R2 DDOS attack

Posted on 2013-05-16
10
1,167 Views
Last Modified: 2013-08-25
Hi.  I have a DNS server that's being exploited by DDOS.  On this DNS server I host DNS records for about 300 or so of my clients.  My ISP asked me if the server needed to be public and I said yes, however I think I'm wrong about that.  No one needs to query the server from the outside (wan) as in using the public IP to resolve DNS however, I still the records on the server to spread publicly.  I hope I can explaining this properly as DNS is not my forte but I am learning.
0
Comment
Question by:hmcnasty
  • 6
  • 4
10 Comments
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173478
You have the hostname for yourserverdns.yournetwork.com pointed to your firewall, and then nat/pat port 53 to your internal IP of the DNS server, or your server is in the DMZ and is being exploited outside of just DNS?  
They are querying DNS to bring it down or some other means is what I'm asking.
0
 

Author Comment

by:hmcnasty
ID: 39173490
We have a hostname for yourserverdns.yournetwork.com pointed to our firewall, and then nat/pat port 53 to your internal IP of the DNS server.  

The way it was explained to me is that someone somewhere is spoofing our DNS server and making it send out DNS requests to other DNS servers I think its also called a denial-of-service attack (DoS attack)
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173497
https://www.grc.com/dns/dns.htm

GRC has other tools available.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173507
There is also this technet for turning off any unneeded services.
http://technet.microsoft.com/en-us/library/cc526450.aspx

I'm not trying to just point you at links, but hosting your own dns isnt easy these days.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173515
Here is another article, more in depth and links to Microsoft's guides to hardening DNS against attacks.  I realize they are for server 2003, but the ideas are still relevant (and most of the commands.)  If you are learning DNS, this is a good start.

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 8

Expert Comment

by:TMekeel
ID: 39173524
Also, can you look at your firewall and see if the attacks are coming from only a few static addresses on UDP 53?

If so, block them so that at least the attacks slow down while you research options to harden your servers.
0
 

Author Comment

by:hmcnasty
ID: 39173733
Is there anything in the packets that can tip me off as to whether or not is an attack?

there are quite a few IPs showing up incoming on 53.  How much traffic is "normal"?
0
 
LVL 8

Accepted Solution

by:
TMekeel earned 500 total points
ID: 39190540
Check to see if your servers are open resolvers:
http://openresolverproject.org/

Also, read this from the IETF:
http://tools.ietf.org/html/bcp38

That should help your shore up your defenses.


Edit--This link is also in the first link I gave for the openresolver test, but important:
http://www.redbarn.org/dns/ratelimits
0
 

Author Comment

by:hmcnasty
ID: 39437312
Hi.  We ended up moving all our DNS to our F5 unit and that solved the problem.  There seems to be more vulnerabilities using windows for DNS.  We were able to identify the bad packets coming in but were unable to write a custom signature in our firewall to stop them. I'm going to award the points to TMekeel because his comments really helped me/us figure out what was going on during the attack, not to mention the insight into windows DNS

Thanks,

Wes
0
 

Author Closing Comment

by:hmcnasty
ID: 39437313
Thanks TMekeel for sticking with this and I apologize for not getting back to you sooner.

Wes
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now