Solved

How a DNS DDoS clogged my router

Posted on 2013-06-20
6
161 Views
Last Modified: 2014-12-13
Can anyone explain to me why a small DDoS attack brought my internet connection to its knees?  Last week I started receiving a larger number of DNS requests for the domain ddostheinter.net which caused a 60% loss of internet communications.  I am using a Cisco 2821 router with a 30MB Ethernet connection to the ISP.  At the maximum peak time, we were receiving approximately 265,000 requests per hour or about 72 per second.  The incoming packet size is approximately 81 bytes with a return packets size of around 1.5 kBytes. With this low amount of traffic, our router should have been able to handle this just fine but it didn't .  CPU utilization remained less than 15% at all times.
0
Comment
Question by:davidwilkerson
6 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39264898
If your router is simply passing DNS requests, then the choke point may have been your internal DNS server.  IF the DNS server was saturated, then you internal PCs' ability to resolve internet address may have been hampered.  Do you have CPU, memory, and network utilization logs for your DNS servers?
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 39264906
One way to avoid this depending on your DNS server is to separate the roles.
Have one that is authoritative and one that is caching.

If you do not have an authoritative name server, you should not be opening port 53 on your firewall to your DNS server.
0
 

Author Comment

by:davidwilkerson
ID: 39265611
I check the DNS server during this time and the CPU, Memory, and Network utilization were all low.  There are no significant DNS logs.  Server is Windows 2008R2 54bit 4GB RAM.  I could remote into the server just fine and it wasn't being overload that I could tell.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 39265759
Are you running an open DNS server?  If so, you need to restrict who can query non-authoritative zones.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 39265941
Why do you think the router could not handle the traffic load? what was the problem?

So far all elements of your network appear not to have been impacted?


We need more information into what the problem is/was?


harbor235 ;}
0
 
LVL 27

Expert Comment

by:Steve
ID: 39265972
75 DNS requests per second is quite a lot across an internet connection
 but you're right that on the face of it it's not that bad.

in reality there is a lot of processing involved with this traffic and it's not all at your end.

firstly, the replies can clog up your upload channel (which is often overlooked when assessing internet bandwidth)

secondly, the receipt, processing and transmitting of each request has an overhead that adds to the load.

Thirdly, don't forget your ISP and the public internet routers have to handle all this additional traffic too. Many internet systems deprioritise your connection if a large amount of repeated traffic occurs for a period of time as they don't want it to affect their other clients.

You may never know exactly what caused the slowdown, but this is the whole point of a DDoS attack and they wouldn't do it if it didn't cause you a headache.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question