Recently we have noticed our firewall alerting to the fact that at certain times (varies) daily, our DNS servers are exceeding set thresholds for DNS traffic.
Having enabled perfmon to monitor this, we found at the times these alerts come through, the DNS counters do also go up dramatically.
I installed WireShark to capture this traffic and I believe we are part of a DDoS attack - however I cannot work out if we are the intended victim, or part of a reflection attack.
More importantly, I want to know how to stop it if possible.
1. The Servers (more than 1, on multiple domains) are all Windows Servers.
2. There is no open port on the Firewall to allow external connections to these DNS Servers
Given that there is no way an external connection can "spam" our DNS Servers with requests, and the servers are all hidden behind the firewall, my logical thinking is that the connection must have been started from internally?
There are 3 IP's involved in this particular capture, 2 of which we know about, and a 3rd which we do not know or have any reason to connect to/from.
192.168.22.12 is the Internal IP of this particular DNS server
220.127.116.11 is the ISP's DNS server (which we have configured as the Forwarder IP)#
18.104.22.168 is an external address which we know nothing about.