Solved

DNS on server 2008 R2 DDOS attack

Posted on 2013-05-16
10
1,207 Views
Last Modified: 2013-08-25
Hi.  I have a DNS server that's being exploited by DDOS.  On this DNS server I host DNS records for about 300 or so of my clients.  My ISP asked me if the server needed to be public and I said yes, however I think I'm wrong about that.  No one needs to query the server from the outside (wan) as in using the public IP to resolve DNS however, I still the records on the server to spread publicly.  I hope I can explaining this properly as DNS is not my forte but I am learning.
0
Comment
Question by:hmcnasty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173478
You have the hostname for yourserverdns.yournetwork.com pointed to your firewall, and then nat/pat port 53 to your internal IP of the DNS server, or your server is in the DMZ and is being exploited outside of just DNS?  
They are querying DNS to bring it down or some other means is what I'm asking.
0
 

Author Comment

by:hmcnasty
ID: 39173490
We have a hostname for yourserverdns.yournetwork.com pointed to our firewall, and then nat/pat port 53 to your internal IP of the DNS server.  

The way it was explained to me is that someone somewhere is spoofing our DNS server and making it send out DNS requests to other DNS servers I think its also called a denial-of-service attack (DoS attack)
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173497
https://www.grc.com/dns/dns.htm

GRC has other tools available.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 8

Expert Comment

by:TMekeel
ID: 39173507
There is also this technet for turning off any unneeded services.
http://technet.microsoft.com/en-us/library/cc526450.aspx

I'm not trying to just point you at links, but hosting your own dns isnt easy these days.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173515
Here is another article, more in depth and links to Microsoft's guides to hardening DNS against attacks.  I realize they are for server 2003, but the ideas are still relevant (and most of the commands.)  If you are learning DNS, this is a good start.

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173524
Also, can you look at your firewall and see if the attacks are coming from only a few static addresses on UDP 53?

If so, block them so that at least the attacks slow down while you research options to harden your servers.
0
 

Author Comment

by:hmcnasty
ID: 39173733
Is there anything in the packets that can tip me off as to whether or not is an attack?

there are quite a few IPs showing up incoming on 53.  How much traffic is "normal"?
0
 
LVL 8

Accepted Solution

by:
TMekeel earned 500 total points
ID: 39190540
Check to see if your servers are open resolvers:
http://openresolverproject.org/

Also, read this from the IETF:
http://tools.ietf.org/html/bcp38

That should help your shore up your defenses.


Edit--This link is also in the first link I gave for the openresolver test, but important:
http://www.redbarn.org/dns/ratelimits
0
 

Author Comment

by:hmcnasty
ID: 39437312
Hi.  We ended up moving all our DNS to our F5 unit and that solved the problem.  There seems to be more vulnerabilities using windows for DNS.  We were able to identify the bad packets coming in but were unable to write a custom signature in our firewall to stop them. I'm going to award the points to TMekeel because his comments really helped me/us figure out what was going on during the attack, not to mention the insight into windows DNS

Thanks,

Wes
0
 

Author Closing Comment

by:hmcnasty
ID: 39437313
Thanks TMekeel for sticking with this and I apologize for not getting back to you sooner.

Wes
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question