Solved

DNS on server 2008 R2 DDOS attack

Posted on 2013-05-16
10
1,156 Views
Last Modified: 2013-08-25
Hi.  I have a DNS server that's being exploited by DDOS.  On this DNS server I host DNS records for about 300 or so of my clients.  My ISP asked me if the server needed to be public and I said yes, however I think I'm wrong about that.  No one needs to query the server from the outside (wan) as in using the public IP to resolve DNS however, I still the records on the server to spread publicly.  I hope I can explaining this properly as DNS is not my forte but I am learning.
0
Comment
Question by:hmcnasty
  • 6
  • 4
10 Comments
 
LVL 8

Expert Comment

by:TMekeel
Comment Utility
You have the hostname for yourserverdns.yournetwork.com pointed to your firewall, and then nat/pat port 53 to your internal IP of the DNS server, or your server is in the DMZ and is being exploited outside of just DNS?  
They are querying DNS to bring it down or some other means is what I'm asking.
0
 

Author Comment

by:hmcnasty
Comment Utility
We have a hostname for yourserverdns.yournetwork.com pointed to our firewall, and then nat/pat port 53 to your internal IP of the DNS server.  

The way it was explained to me is that someone somewhere is spoofing our DNS server and making it send out DNS requests to other DNS servers I think its also called a denial-of-service attack (DoS attack)
0
 
LVL 8

Expert Comment

by:TMekeel
Comment Utility
https://www.grc.com/dns/dns.htm

GRC has other tools available.
0
 
LVL 8

Expert Comment

by:TMekeel
Comment Utility
There is also this technet for turning off any unneeded services.
http://technet.microsoft.com/en-us/library/cc526450.aspx

I'm not trying to just point you at links, but hosting your own dns isnt easy these days.
0
 
LVL 8

Expert Comment

by:TMekeel
Comment Utility
Here is another article, more in depth and links to Microsoft's guides to hardening DNS against attacks.  I realize they are for server 2003, but the ideas are still relevant (and most of the commands.)  If you are learning DNS, this is a good start.

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 8

Expert Comment

by:TMekeel
Comment Utility
Also, can you look at your firewall and see if the attacks are coming from only a few static addresses on UDP 53?

If so, block them so that at least the attacks slow down while you research options to harden your servers.
0
 

Author Comment

by:hmcnasty
Comment Utility
Is there anything in the packets that can tip me off as to whether or not is an attack?

there are quite a few IPs showing up incoming on 53.  How much traffic is "normal"?
0
 
LVL 8

Accepted Solution

by:
TMekeel earned 500 total points
Comment Utility
Check to see if your servers are open resolvers:
http://openresolverproject.org/

Also, read this from the IETF:
http://tools.ietf.org/html/bcp38

That should help your shore up your defenses.


Edit--This link is also in the first link I gave for the openresolver test, but important:
http://www.redbarn.org/dns/ratelimits
0
 

Author Comment

by:hmcnasty
Comment Utility
Hi.  We ended up moving all our DNS to our F5 unit and that solved the problem.  There seems to be more vulnerabilities using windows for DNS.  We were able to identify the bad packets coming in but were unable to write a custom signature in our firewall to stop them. I'm going to award the points to TMekeel because his comments really helped me/us figure out what was going on during the attack, not to mention the insight into windows DNS

Thanks,

Wes
0
 

Author Closing Comment

by:hmcnasty
Comment Utility
Thanks TMekeel for sticking with this and I apologize for not getting back to you sooner.

Wes
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now