Solved

DNS Amplification - isc.org ANY DDoS Attack

Posted on 2013-06-11
6
912 Views
Last Modified: 2013-06-18
Hi

Recently we have noticed our firewall alerting to the fact that at certain times (varies) daily, our DNS servers are exceeding set thresholds for DNS traffic.

Having enabled perfmon to monitor this, we found at the times these alerts come through, the DNS counters do also go up dramatically.

I installed WireShark to capture this traffic and I believe we are part of a DDoS attack - however I cannot work out if we are the intended victim, or part of a reflection attack.

More importantly, I want to know how to stop it if possible.

1. The Servers (more than 1, on multiple domains) are all Windows Servers.
2. There is no open port on the Firewall to allow external connections to these DNS Servers

Given that there is no way an external connection can "spam" our DNS Servers with requests, and the servers are all hidden behind the firewall, my logical thinking is that the connection must have been started from internally?

There are 3 IP's involved in this particular capture, 2 of which we know about, and a 3rd which we do not know or have any reason to connect to/from.

192.168.22.12 is the Internal IP of this particular DNS server
194.168.4.123 is the ISP's DNS server (which we have configured as the Forwarder IP)#
46.249.46.92 is an external address which we know nothing about.

WireShark Screenshot
0
Comment
Question by:bikerhong
  • 3
  • 2
6 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 39239857
I suspect you have something bigger happening here. But, as with anything, the specificity of the answer is always predicated on the quality of information provided. Screenshots are not as good as logs. And there is a trust that the information you provided about your firewall and forwarders is accurate. So, with that said, I'll break it down:

"my logical thinking is that the connection must have been started from internally?"

Not only is it coming from an internal request, it is coming *from* your server. You can determine this from the "source" IP address. If another internal machine was making the request, that IP would show up as the source. If a DNS client was making a request to the server, the server would use its legitimate forwarders. So no, this is pretty apparent that these requests are *starting* at your server.

As you say, if you have no reason to be querying 46.249.46.92, then why is your server querying it? That is your problem entry. Of course your screengrab doesn't have that particular traffic highlighted, so we can't say any more about what might be going on.

If your DNS server isn't set to forward requests to that server though, chances are it is *not* your DNS server making that query. There is very likely another program or service running on the server that is making that query directly. That should be of some concern.

I see two possibilities:

1) Your server is infected. So this rogue program is querying DNS servers it was hardcoded to query and is not using your DNS server service, bypassing any filters or forwarders you may have placed. That would be consistent with the logs we are seeing.

2) In rare cases, a legitimate program may be doing the queries. I have seen some anti-spam products that query the vendor's DNS servers directly instead of relying on an internal DNS server. If that is the case, it may not be that you are under a DDoS attack at all, but that you are undergoing intermittent periods where a spammer is hitting you hard. Of course the anti-spam product is doing its job and filtering it, but each connection will still cause a DNS lookup as part of its filtering process. Now personally, most anti-spam programs don't filter this way and don't hard-code their DNS servers, but as I said, a few do.

So now it becomes a matter of finding out which *process* on the server is making the requests. I actually find netmon and the various sysinternals tools to be more effective at this than wireshark. Wireshark on Windows uses PCAP which alters the network stack in ways that aren't always predictable. Wireshark is better suited to reading existing log files or doing other forensic work.

Hope that helps.

-Cliff
0
 
LVL 62

Expert Comment

by:btan
ID: 39240120
Tends to see why is your DNS server doing such query which can be triggered by itself or even a spoofed client ip intentionally..nonetheless need to check your server and have a dig check against your dns server on query to isc.org..which will they go the same  route...

Some steps to prevent a DNS infrastructure from being used for reflection/amplification type attacks:

Disable querying for root on Authoritative resolvers, return REFUSED
Filter queries to Recursives from only paying customers, via ACLs
Apply BCP 140 or similar rules to cause any non-existent domain queries to respond with a REFUSED.
0
 
LVL 62

Expert Comment

by:btan
ID: 39240129
Suggest you check this out and some useful tools mentioned
http://www.us-cert.gov/ncas/alerts/TA13-088A
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Accepted Solution

by:
bikerhong earned 0 total points
ID: 39244101
Our server is an open relay due to a bug in the firewall!!

We have them looking into it.
0
 
LVL 62

Expert Comment

by:btan
ID: 39244822
Also do harden the server not solely rely on FW as the chain can break still DNS service can be allowed especially for authoritative type. Normally internal and external has different server
0
 

Author Closing Comment

by:bikerhong
ID: 39255586
Firewall bug
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now