Solved

DNS Amplification - isc.org ANY DDoS Attack

Posted on 2013-06-11
6
910 Views
Last Modified: 2013-06-18
Hi

Recently we have noticed our firewall alerting to the fact that at certain times (varies) daily, our DNS servers are exceeding set thresholds for DNS traffic.

Having enabled perfmon to monitor this, we found at the times these alerts come through, the DNS counters do also go up dramatically.

I installed WireShark to capture this traffic and I believe we are part of a DDoS attack - however I cannot work out if we are the intended victim, or part of a reflection attack.

More importantly, I want to know how to stop it if possible.

1. The Servers (more than 1, on multiple domains) are all Windows Servers.
2. There is no open port on the Firewall to allow external connections to these DNS Servers

Given that there is no way an external connection can "spam" our DNS Servers with requests, and the servers are all hidden behind the firewall, my logical thinking is that the connection must have been started from internally?

There are 3 IP's involved in this particular capture, 2 of which we know about, and a 3rd which we do not know or have any reason to connect to/from.

192.168.22.12 is the Internal IP of this particular DNS server
194.168.4.123 is the ISP's DNS server (which we have configured as the Forwarder IP)#
46.249.46.92 is an external address which we know nothing about.

WireShark Screenshot
0
Comment
Question by:bikerhong
  • 3
  • 2
6 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 39239857
I suspect you have something bigger happening here. But, as with anything, the specificity of the answer is always predicated on the quality of information provided. Screenshots are not as good as logs. And there is a trust that the information you provided about your firewall and forwarders is accurate. So, with that said, I'll break it down:

"my logical thinking is that the connection must have been started from internally?"

Not only is it coming from an internal request, it is coming *from* your server. You can determine this from the "source" IP address. If another internal machine was making the request, that IP would show up as the source. If a DNS client was making a request to the server, the server would use its legitimate forwarders. So no, this is pretty apparent that these requests are *starting* at your server.

As you say, if you have no reason to be querying 46.249.46.92, then why is your server querying it? That is your problem entry. Of course your screengrab doesn't have that particular traffic highlighted, so we can't say any more about what might be going on.

If your DNS server isn't set to forward requests to that server though, chances are it is *not* your DNS server making that query. There is very likely another program or service running on the server that is making that query directly. That should be of some concern.

I see two possibilities:

1) Your server is infected. So this rogue program is querying DNS servers it was hardcoded to query and is not using your DNS server service, bypassing any filters or forwarders you may have placed. That would be consistent with the logs we are seeing.

2) In rare cases, a legitimate program may be doing the queries. I have seen some anti-spam products that query the vendor's DNS servers directly instead of relying on an internal DNS server. If that is the case, it may not be that you are under a DDoS attack at all, but that you are undergoing intermittent periods where a spammer is hitting you hard. Of course the anti-spam product is doing its job and filtering it, but each connection will still cause a DNS lookup as part of its filtering process. Now personally, most anti-spam programs don't filter this way and don't hard-code their DNS servers, but as I said, a few do.

So now it becomes a matter of finding out which *process* on the server is making the requests. I actually find netmon and the various sysinternals tools to be more effective at this than wireshark. Wireshark on Windows uses PCAP which alters the network stack in ways that aren't always predictable. Wireshark is better suited to reading existing log files or doing other forensic work.

Hope that helps.

-Cliff
0
 
LVL 61

Expert Comment

by:btan
ID: 39240120
Tends to see why is your DNS server doing such query which can be triggered by itself or even a spoofed client ip intentionally..nonetheless need to check your server and have a dig check against your dns server on query to isc.org..which will they go the same  route...

Some steps to prevent a DNS infrastructure from being used for reflection/amplification type attacks:

Disable querying for root on Authoritative resolvers, return REFUSED
Filter queries to Recursives from only paying customers, via ACLs
Apply BCP 140 or similar rules to cause any non-existent domain queries to respond with a REFUSED.
0
 
LVL 61

Expert Comment

by:btan
ID: 39240129
Suggest you check this out and some useful tools mentioned
http://www.us-cert.gov/ncas/alerts/TA13-088A
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Accepted Solution

by:
bikerhong earned 0 total points
ID: 39244101
Our server is an open relay due to a bug in the firewall!!

We have them looking into it.
0
 
LVL 61

Expert Comment

by:btan
ID: 39244822
Also do harden the server not solely rely on FW as the chain can break still DNS service can be allowed especially for authoritative type. Normally internal and external has different server
0
 

Author Closing Comment

by:bikerhong
ID: 39255586
Firewall bug
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now