Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

DNS Amplification - isc.org ANY DDoS Attack

Posted on 2013-06-11
6
Medium Priority
?
952 Views
Last Modified: 2013-06-18
Hi

Recently we have noticed our firewall alerting to the fact that at certain times (varies) daily, our DNS servers are exceeding set thresholds for DNS traffic.

Having enabled perfmon to monitor this, we found at the times these alerts come through, the DNS counters do also go up dramatically.

I installed WireShark to capture this traffic and I believe we are part of a DDoS attack - however I cannot work out if we are the intended victim, or part of a reflection attack.

More importantly, I want to know how to stop it if possible.

1. The Servers (more than 1, on multiple domains) are all Windows Servers.
2. There is no open port on the Firewall to allow external connections to these DNS Servers

Given that there is no way an external connection can "spam" our DNS Servers with requests, and the servers are all hidden behind the firewall, my logical thinking is that the connection must have been started from internally?

There are 3 IP's involved in this particular capture, 2 of which we know about, and a 3rd which we do not know or have any reason to connect to/from.

192.168.22.12 is the Internal IP of this particular DNS server
194.168.4.123 is the ISP's DNS server (which we have configured as the Forwarder IP)#
46.249.46.92 is an external address which we know nothing about.

WireShark Screenshot
0
Comment
Question by:bikerhong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39239857
I suspect you have something bigger happening here. But, as with anything, the specificity of the answer is always predicated on the quality of information provided. Screenshots are not as good as logs. And there is a trust that the information you provided about your firewall and forwarders is accurate. So, with that said, I'll break it down:

"my logical thinking is that the connection must have been started from internally?"

Not only is it coming from an internal request, it is coming *from* your server. You can determine this from the "source" IP address. If another internal machine was making the request, that IP would show up as the source. If a DNS client was making a request to the server, the server would use its legitimate forwarders. So no, this is pretty apparent that these requests are *starting* at your server.

As you say, if you have no reason to be querying 46.249.46.92, then why is your server querying it? That is your problem entry. Of course your screengrab doesn't have that particular traffic highlighted, so we can't say any more about what might be going on.

If your DNS server isn't set to forward requests to that server though, chances are it is *not* your DNS server making that query. There is very likely another program or service running on the server that is making that query directly. That should be of some concern.

I see two possibilities:

1) Your server is infected. So this rogue program is querying DNS servers it was hardcoded to query and is not using your DNS server service, bypassing any filters or forwarders you may have placed. That would be consistent with the logs we are seeing.

2) In rare cases, a legitimate program may be doing the queries. I have seen some anti-spam products that query the vendor's DNS servers directly instead of relying on an internal DNS server. If that is the case, it may not be that you are under a DDoS attack at all, but that you are undergoing intermittent periods where a spammer is hitting you hard. Of course the anti-spam product is doing its job and filtering it, but each connection will still cause a DNS lookup as part of its filtering process. Now personally, most anti-spam programs don't filter this way and don't hard-code their DNS servers, but as I said, a few do.

So now it becomes a matter of finding out which *process* on the server is making the requests. I actually find netmon and the various sysinternals tools to be more effective at this than wireshark. Wireshark on Windows uses PCAP which alters the network stack in ways that aren't always predictable. Wireshark is better suited to reading existing log files or doing other forensic work.

Hope that helps.

-Cliff
0
 
LVL 65

Expert Comment

by:btan
ID: 39240120
Tends to see why is your DNS server doing such query which can be triggered by itself or even a spoofed client ip intentionally..nonetheless need to check your server and have a dig check against your dns server on query to isc.org..which will they go the same  route...

Some steps to prevent a DNS infrastructure from being used for reflection/amplification type attacks:

Disable querying for root on Authoritative resolvers, return REFUSED
Filter queries to Recursives from only paying customers, via ACLs
Apply BCP 140 or similar rules to cause any non-existent domain queries to respond with a REFUSED.
0
 
LVL 65

Expert Comment

by:btan
ID: 39240129
Suggest you check this out and some useful tools mentioned
http://www.us-cert.gov/ncas/alerts/TA13-088A
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Accepted Solution

by:
bikerhong earned 0 total points
ID: 39244101
Our server is an open relay due to a bug in the firewall!!

We have them looking into it.
0
 
LVL 65

Expert Comment

by:btan
ID: 39244822
Also do harden the server not solely rely on FW as the chain can break still DNS service can be allowed especially for authoritative type. Normally internal and external has different server
0
 

Author Closing Comment

by:bikerhong
ID: 39255586
Firewall bug
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question