Solved

DNS on server 2008 R2 DDOS attack

Posted on 2013-05-16
10
1,221 Views
Last Modified: 2013-08-25
Hi.  I have a DNS server that's being exploited by DDOS.  On this DNS server I host DNS records for about 300 or so of my clients.  My ISP asked me if the server needed to be public and I said yes, however I think I'm wrong about that.  No one needs to query the server from the outside (wan) as in using the public IP to resolve DNS however, I still the records on the server to spread publicly.  I hope I can explaining this properly as DNS is not my forte but I am learning.
0
Comment
Question by:hmcnasty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173478
You have the hostname for yourserverdns.yournetwork.com pointed to your firewall, and then nat/pat port 53 to your internal IP of the DNS server, or your server is in the DMZ and is being exploited outside of just DNS?  
They are querying DNS to bring it down or some other means is what I'm asking.
0
 

Author Comment

by:hmcnasty
ID: 39173490
We have a hostname for yourserverdns.yournetwork.com pointed to our firewall, and then nat/pat port 53 to your internal IP of the DNS server.  

The way it was explained to me is that someone somewhere is spoofing our DNS server and making it send out DNS requests to other DNS servers I think its also called a denial-of-service attack (DoS attack)
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173497
https://www.grc.com/dns/dns.htm

GRC has other tools available.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Expert Comment

by:TMekeel
ID: 39173507
There is also this technet for turning off any unneeded services.
http://technet.microsoft.com/en-us/library/cc526450.aspx

I'm not trying to just point you at links, but hosting your own dns isnt easy these days.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173515
Here is another article, more in depth and links to Microsoft's guides to hardening DNS against attacks.  I realize they are for server 2003, but the ideas are still relevant (and most of the commands.)  If you are learning DNS, this is a good start.

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39173524
Also, can you look at your firewall and see if the attacks are coming from only a few static addresses on UDP 53?

If so, block them so that at least the attacks slow down while you research options to harden your servers.
0
 

Author Comment

by:hmcnasty
ID: 39173733
Is there anything in the packets that can tip me off as to whether or not is an attack?

there are quite a few IPs showing up incoming on 53.  How much traffic is "normal"?
0
 
LVL 8

Accepted Solution

by:
TMekeel earned 500 total points
ID: 39190540
Check to see if your servers are open resolvers:
http://openresolverproject.org/

Also, read this from the IETF:
http://tools.ietf.org/html/bcp38

That should help your shore up your defenses.


Edit--This link is also in the first link I gave for the openresolver test, but important:
http://www.redbarn.org/dns/ratelimits
0
 

Author Comment

by:hmcnasty
ID: 39437312
Hi.  We ended up moving all our DNS to our F5 unit and that solved the problem.  There seems to be more vulnerabilities using windows for DNS.  We were able to identify the bad packets coming in but were unable to write a custom signature in our firewall to stop them. I'm going to award the points to TMekeel because his comments really helped me/us figure out what was going on during the attack, not to mention the insight into windows DNS

Thanks,

Wes
0
 

Author Closing Comment

by:hmcnasty
ID: 39437313
Thanks TMekeel for sticking with this and I apologize for not getting back to you sooner.

Wes
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Know what services you can and cannot, should and should not combine on your server.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question