Solved

DNS Amplification - isc.org ANY DDoS Attack

Posted on 2013-06-11
6
928 Views
Last Modified: 2013-06-18
Hi

Recently we have noticed our firewall alerting to the fact that at certain times (varies) daily, our DNS servers are exceeding set thresholds for DNS traffic.

Having enabled perfmon to monitor this, we found at the times these alerts come through, the DNS counters do also go up dramatically.

I installed WireShark to capture this traffic and I believe we are part of a DDoS attack - however I cannot work out if we are the intended victim, or part of a reflection attack.

More importantly, I want to know how to stop it if possible.

1. The Servers (more than 1, on multiple domains) are all Windows Servers.
2. There is no open port on the Firewall to allow external connections to these DNS Servers

Given that there is no way an external connection can "spam" our DNS Servers with requests, and the servers are all hidden behind the firewall, my logical thinking is that the connection must have been started from internally?

There are 3 IP's involved in this particular capture, 2 of which we know about, and a 3rd which we do not know or have any reason to connect to/from.

192.168.22.12 is the Internal IP of this particular DNS server
194.168.4.123 is the ISP's DNS server (which we have configured as the Forwarder IP)#
46.249.46.92 is an external address which we know nothing about.

WireShark Screenshot
0
Comment
Question by:bikerhong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39239857
I suspect you have something bigger happening here. But, as with anything, the specificity of the answer is always predicated on the quality of information provided. Screenshots are not as good as logs. And there is a trust that the information you provided about your firewall and forwarders is accurate. So, with that said, I'll break it down:

"my logical thinking is that the connection must have been started from internally?"

Not only is it coming from an internal request, it is coming *from* your server. You can determine this from the "source" IP address. If another internal machine was making the request, that IP would show up as the source. If a DNS client was making a request to the server, the server would use its legitimate forwarders. So no, this is pretty apparent that these requests are *starting* at your server.

As you say, if you have no reason to be querying 46.249.46.92, then why is your server querying it? That is your problem entry. Of course your screengrab doesn't have that particular traffic highlighted, so we can't say any more about what might be going on.

If your DNS server isn't set to forward requests to that server though, chances are it is *not* your DNS server making that query. There is very likely another program or service running on the server that is making that query directly. That should be of some concern.

I see two possibilities:

1) Your server is infected. So this rogue program is querying DNS servers it was hardcoded to query and is not using your DNS server service, bypassing any filters or forwarders you may have placed. That would be consistent with the logs we are seeing.

2) In rare cases, a legitimate program may be doing the queries. I have seen some anti-spam products that query the vendor's DNS servers directly instead of relying on an internal DNS server. If that is the case, it may not be that you are under a DDoS attack at all, but that you are undergoing intermittent periods where a spammer is hitting you hard. Of course the anti-spam product is doing its job and filtering it, but each connection will still cause a DNS lookup as part of its filtering process. Now personally, most anti-spam programs don't filter this way and don't hard-code their DNS servers, but as I said, a few do.

So now it becomes a matter of finding out which *process* on the server is making the requests. I actually find netmon and the various sysinternals tools to be more effective at this than wireshark. Wireshark on Windows uses PCAP which alters the network stack in ways that aren't always predictable. Wireshark is better suited to reading existing log files or doing other forensic work.

Hope that helps.

-Cliff
0
 
LVL 64

Expert Comment

by:btan
ID: 39240120
Tends to see why is your DNS server doing such query which can be triggered by itself or even a spoofed client ip intentionally..nonetheless need to check your server and have a dig check against your dns server on query to isc.org..which will they go the same  route...

Some steps to prevent a DNS infrastructure from being used for reflection/amplification type attacks:

Disable querying for root on Authoritative resolvers, return REFUSED
Filter queries to Recursives from only paying customers, via ACLs
Apply BCP 140 or similar rules to cause any non-existent domain queries to respond with a REFUSED.
0
 
LVL 64

Expert Comment

by:btan
ID: 39240129
Suggest you check this out and some useful tools mentioned
http://www.us-cert.gov/ncas/alerts/TA13-088A
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Accepted Solution

by:
bikerhong earned 0 total points
ID: 39244101
Our server is an open relay due to a bug in the firewall!!

We have them looking into it.
0
 
LVL 64

Expert Comment

by:btan
ID: 39244822
Also do harden the server not solely rely on FW as the chain can break still DNS service can be allowed especially for authoritative type. Normally internal and external has different server
0
 

Author Closing Comment

by:bikerhong
ID: 39255586
Firewall bug
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question