hmcnasty
asked on
DNS on server 2008 R2 DDOS attack
Hi. I have a DNS server that's being exploited by DDOS. On this DNS server I host DNS records for about 300 or so of my clients. My ISP asked me if the server needed to be public and I said yes, however I think I'm wrong about that. No one needs to query the server from the outside (wan) as in using the public IP to resolve DNS however, I still the records on the server to spread publicly. I hope I can explaining this properly as DNS is not my forte but I am learning.
ASKER
We have a hostname for yourserverdns.yournetwork. com pointed to our firewall, and then nat/pat port 53 to your internal IP of the DNS server.
The way it was explained to me is that someone somewhere is spoofing our DNS server and making it send out DNS requests to other DNS servers I think its also called a denial-of-service attack (DoS attack)
The way it was explained to me is that someone somewhere is spoofing our DNS server and making it send out DNS requests to other DNS servers I think its also called a denial-of-service attack (DoS attack)
There is also this technet for turning off any unneeded services.
http://technet.microsoft.com/en-us/library/cc526450.aspx
I'm not trying to just point you at links, but hosting your own dns isnt easy these days.
http://technet.microsoft.com/en-us/library/cc526450.aspx
I'm not trying to just point you at links, but hosting your own dns isnt easy these days.
Here is another article, more in depth and links to Microsoft's guides to hardening DNS against attacks. I realize they are for server 2003, but the ideas are still relevant (and most of the commands.) If you are learning DNS, this is a good start.
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
Also, can you look at your firewall and see if the attacks are coming from only a few static addresses on UDP 53?
If so, block them so that at least the attacks slow down while you research options to harden your servers.
If so, block them so that at least the attacks slow down while you research options to harden your servers.
ASKER
Is there anything in the packets that can tip me off as to whether or not is an attack?
there are quite a few IPs showing up incoming on 53. How much traffic is "normal"?
there are quite a few IPs showing up incoming on 53. How much traffic is "normal"?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi. We ended up moving all our DNS to our F5 unit and that solved the problem. There seems to be more vulnerabilities using windows for DNS. We were able to identify the bad packets coming in but were unable to write a custom signature in our firewall to stop them. I'm going to award the points to TMekeel because his comments really helped me/us figure out what was going on during the attack, not to mention the insight into windows DNS
Thanks,
Wes
Thanks,
Wes
ASKER
Thanks TMekeel for sticking with this and I apologize for not getting back to you sooner.
Wes
Wes
They are querying DNS to bring it down or some other means is what I'm asking.