Solved

How a DNS DDoS clogged my router

Posted on 2013-06-20
6
160 Views
Last Modified: 2014-12-13
Can anyone explain to me why a small DDoS attack brought my internet connection to its knees?  Last week I started receiving a larger number of DNS requests for the domain ddostheinter.net which caused a 60% loss of internet communications.  I am using a Cisco 2821 router with a 30MB Ethernet connection to the ISP.  At the maximum peak time, we were receiving approximately 265,000 requests per hour or about 72 per second.  The incoming packet size is approximately 81 bytes with a return packets size of around 1.5 kBytes. With this low amount of traffic, our router should have been able to handle this just fine but it didn't .  CPU utilization remained less than 15% at all times.
0
Comment
Question by:davidwilkerson
6 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39264898
If your router is simply passing DNS requests, then the choke point may have been your internal DNS server.  IF the DNS server was saturated, then you internal PCs' ability to resolve internet address may have been hampered.  Do you have CPU, memory, and network utilization logs for your DNS servers?
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 39264906
One way to avoid this depending on your DNS server is to separate the roles.
Have one that is authoritative and one that is caching.

If you do not have an authoritative name server, you should not be opening port 53 on your firewall to your DNS server.
0
 

Author Comment

by:davidwilkerson
ID: 39265611
I check the DNS server during this time and the CPU, Memory, and Network utilization were all low.  There are no significant DNS logs.  Server is Windows 2008R2 54bit 4GB RAM.  I could remote into the server just fine and it wasn't being overload that I could tell.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 39265759
Are you running an open DNS server?  If so, you need to restrict who can query non-authoritative zones.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 39265941
Why do you think the router could not handle the traffic load? what was the problem?

So far all elements of your network appear not to have been impacted?


We need more information into what the problem is/was?


harbor235 ;}
0
 
LVL 27

Expert Comment

by:Steve
ID: 39265972
75 DNS requests per second is quite a lot across an internet connection
 but you're right that on the face of it it's not that bad.

in reality there is a lot of processing involved with this traffic and it's not all at your end.

firstly, the replies can clog up your upload channel (which is often overlooked when assessing internet bandwidth)

secondly, the receipt, processing and transmitting of each request has an overhead that adds to the load.

Thirdly, don't forget your ISP and the public internet routers have to handle all this additional traffic too. Many internet systems deprioritise your connection if a large amount of repeated traffic occurs for a period of time as they don't want it to affect their other clients.

You may never know exactly what caused the slowdown, but this is the whole point of a DDoS attack and they wouldn't do it if it didn't cause you a headache.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How does VLAN work? Scenario: (please read the question) 11 121
Error on login Cisco RV016 1 39
WAN IP Conflict on Sonicwall 5 103
route-map permit with a number 1 19
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question