Solved

How a DNS DDoS clogged my router

Posted on 2013-06-20
6
156 Views
Last Modified: 2014-12-13
Can anyone explain to me why a small DDoS attack brought my internet connection to its knees?  Last week I started receiving a larger number of DNS requests for the domain ddostheinter.net which caused a 60% loss of internet communications.  I am using a Cisco 2821 router with a 30MB Ethernet connection to the ISP.  At the maximum peak time, we were receiving approximately 265,000 requests per hour or about 72 per second.  The incoming packet size is approximately 81 bytes with a return packets size of around 1.5 kBytes. With this low amount of traffic, our router should have been able to handle this just fine but it didn't .  CPU utilization remained less than 15% at all times.
0
Comment
Question by:davidwilkerson
6 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39264898
If your router is simply passing DNS requests, then the choke point may have been your internal DNS server.  IF the DNS server was saturated, then you internal PCs' ability to resolve internet address may have been hampered.  Do you have CPU, memory, and network utilization logs for your DNS servers?
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 39264906
One way to avoid this depending on your DNS server is to separate the roles.
Have one that is authoritative and one that is caching.

If you do not have an authoritative name server, you should not be opening port 53 on your firewall to your DNS server.
0
 

Author Comment

by:davidwilkerson
ID: 39265611
I check the DNS server during this time and the CPU, Memory, and Network utilization were all low.  There are no significant DNS logs.  Server is Windows 2008R2 54bit 4GB RAM.  I could remote into the server just fine and it wasn't being overload that I could tell.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 39265759
Are you running an open DNS server?  If so, you need to restrict who can query non-authoritative zones.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 39265941
Why do you think the router could not handle the traffic load? what was the problem?

So far all elements of your network appear not to have been impacted?


We need more information into what the problem is/was?


harbor235 ;}
0
 
LVL 27

Expert Comment

by:Steve
ID: 39265972
75 DNS requests per second is quite a lot across an internet connection
 but you're right that on the face of it it's not that bad.

in reality there is a lot of processing involved with this traffic and it's not all at your end.

firstly, the replies can clog up your upload channel (which is often overlooked when assessing internet bandwidth)

secondly, the receipt, processing and transmitting of each request has an overhead that adds to the load.

Thirdly, don't forget your ISP and the public internet routers have to handle all this additional traffic too. Many internet systems deprioritise your connection if a large amount of repeated traffic occurs for a period of time as they don't want it to affect their other clients.

You may never know exactly what caused the slowdown, but this is the whole point of a DDoS attack and they wouldn't do it if it didn't cause you a headache.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now