?
Solved

DNS Amplification - isc.org ANY DDoS Attack

Posted on 2013-06-11
6
Medium Priority
?
936 Views
Last Modified: 2013-06-18
Hi

Recently we have noticed our firewall alerting to the fact that at certain times (varies) daily, our DNS servers are exceeding set thresholds for DNS traffic.

Having enabled perfmon to monitor this, we found at the times these alerts come through, the DNS counters do also go up dramatically.

I installed WireShark to capture this traffic and I believe we are part of a DDoS attack - however I cannot work out if we are the intended victim, or part of a reflection attack.

More importantly, I want to know how to stop it if possible.

1. The Servers (more than 1, on multiple domains) are all Windows Servers.
2. There is no open port on the Firewall to allow external connections to these DNS Servers

Given that there is no way an external connection can "spam" our DNS Servers with requests, and the servers are all hidden behind the firewall, my logical thinking is that the connection must have been started from internally?

There are 3 IP's involved in this particular capture, 2 of which we know about, and a 3rd which we do not know or have any reason to connect to/from.

192.168.22.12 is the Internal IP of this particular DNS server
194.168.4.123 is the ISP's DNS server (which we have configured as the Forwarder IP)#
46.249.46.92 is an external address which we know nothing about.

WireShark Screenshot
0
Comment
Question by:bikerhong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39239857
I suspect you have something bigger happening here. But, as with anything, the specificity of the answer is always predicated on the quality of information provided. Screenshots are not as good as logs. And there is a trust that the information you provided about your firewall and forwarders is accurate. So, with that said, I'll break it down:

"my logical thinking is that the connection must have been started from internally?"

Not only is it coming from an internal request, it is coming *from* your server. You can determine this from the "source" IP address. If another internal machine was making the request, that IP would show up as the source. If a DNS client was making a request to the server, the server would use its legitimate forwarders. So no, this is pretty apparent that these requests are *starting* at your server.

As you say, if you have no reason to be querying 46.249.46.92, then why is your server querying it? That is your problem entry. Of course your screengrab doesn't have that particular traffic highlighted, so we can't say any more about what might be going on.

If your DNS server isn't set to forward requests to that server though, chances are it is *not* your DNS server making that query. There is very likely another program or service running on the server that is making that query directly. That should be of some concern.

I see two possibilities:

1) Your server is infected. So this rogue program is querying DNS servers it was hardcoded to query and is not using your DNS server service, bypassing any filters or forwarders you may have placed. That would be consistent with the logs we are seeing.

2) In rare cases, a legitimate program may be doing the queries. I have seen some anti-spam products that query the vendor's DNS servers directly instead of relying on an internal DNS server. If that is the case, it may not be that you are under a DDoS attack at all, but that you are undergoing intermittent periods where a spammer is hitting you hard. Of course the anti-spam product is doing its job and filtering it, but each connection will still cause a DNS lookup as part of its filtering process. Now personally, most anti-spam programs don't filter this way and don't hard-code their DNS servers, but as I said, a few do.

So now it becomes a matter of finding out which *process* on the server is making the requests. I actually find netmon and the various sysinternals tools to be more effective at this than wireshark. Wireshark on Windows uses PCAP which alters the network stack in ways that aren't always predictable. Wireshark is better suited to reading existing log files or doing other forensic work.

Hope that helps.

-Cliff
0
 
LVL 64

Expert Comment

by:btan
ID: 39240120
Tends to see why is your DNS server doing such query which can be triggered by itself or even a spoofed client ip intentionally..nonetheless need to check your server and have a dig check against your dns server on query to isc.org..which will they go the same  route...

Some steps to prevent a DNS infrastructure from being used for reflection/amplification type attacks:

Disable querying for root on Authoritative resolvers, return REFUSED
Filter queries to Recursives from only paying customers, via ACLs
Apply BCP 140 or similar rules to cause any non-existent domain queries to respond with a REFUSED.
0
 
LVL 64

Expert Comment

by:btan
ID: 39240129
Suggest you check this out and some useful tools mentioned
http://www.us-cert.gov/ncas/alerts/TA13-088A
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Accepted Solution

by:
bikerhong earned 0 total points
ID: 39244101
Our server is an open relay due to a bug in the firewall!!

We have them looking into it.
0
 
LVL 64

Expert Comment

by:btan
ID: 39244822
Also do harden the server not solely rely on FW as the chain can break still DNS service can be allowed especially for authoritative type. Normally internal and external has different server
0
 

Author Closing Comment

by:bikerhong
ID: 39255586
Firewall bug
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question