Solved

DNS Amplification DDoS Attacks

Posted on 2013-06-25
22
1,492 Views
Last Modified: 2013-07-01
hello experts.
I have a dns servers on windows 2008 R2 and i discovered a DNS Amplification DDos Attacks on it. How can I mitigate it?
I had closed some ip addresses but it doesn't helps.
0
Comment
Question by:ameriaadmin
  • 11
  • 10
22 Comments
 
LVL 7

Expert Comment

by:dec0mpile
ID: 39274730
You have to configure your server to drop the large packets.

The source IP addresses are not spoofed in the IP packets carrying the DNS response messages, so the source addresses identify the open recursive servers the zombies use. Depending on the severity of the attack and how strongly you wish to respond, you can rate-limit traffic from these source IP addresses or use a filtering rule that drops DNS response messages that are suspiciously large (over 512 bytes). In the extreme, you may choose to block traffic from the open recursive servers entirely. These efforts do not squelch the attack sources, and they do not reduce the load on networks and switches between your name server and the open recursive servers. Note that if you block all traffic from these open recursive servers you may interfere with legitimate attempts to resolve names through these servers; for example, some organizations run open recursive servers so that mobile employees can resolve from a "trusted" name server, so such users can be affected.

See this on how to do that with Power Shell
http://technet.microsoft.com/en-us/security/hh972393.aspx

Attack explanation:
http://www.watchguard.com/infocenter/editorial/41649.asp
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39274738
There's a few approaches to this, depending a lot on how your domain and network are configured. Firstly, do you need to be allowing access to your DNS servers from the internet at all? If not, don't - simply block ports 53 TCP and 53 UDP inbound at your firewall.
If you've already blocked access from the internet to your DNS servers, one of your client computers is likely infected and is the source of the packets - make sure all your client computers are fully updated and have working antivirus.
You also need to look at limiting recursion on your DNS servers to internal clients (this and a few other mitigation steps are described here.
0
 

Author Comment

by:ameriaadmin
ID: 39274765
thank you
have you a configuration guide ?
0
 

Author Comment

by:ameriaadmin
ID: 39274776
I need to permit access form the Internet. It is not a traffic from LAN.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39274856
Two steps that could be effective are to disable recursion and to not respond (or send a duff, tiny response) to queries for the zones being used for the amplification attack.

Ifoyou need more info you'll have to give us a little more info about the environment -
Why do you need your DNS server to be publicly accessible?
How did you identify the attack - what symptoms did you see?
What are the malicious requests - what domain / zone?
0
 

Author Comment

by:ameriaadmin
ID: 39274879
I have a DNS service on windows 2008 R2 on DMZ. I have captured the ddos on core router. It has high cpu load. i have many requests for isc.org . I need to answare  only for my zones. The master zone on our servers and the slave zones on ISP's DNS servers.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39274900
Run through this one to disable recursion: http://technet.microsoft.com/en-us/library/cc771738.aspx

And create a new zone for isc.org on your DNS server and add one A record with data 127.0.0.1

This won't stop the attack but it should go a long way to mitigating the effects of it and reducing load on your system.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39275052
0
 

Author Comment

by:ameriaadmin
ID: 39277101
but I need to use forwarders. Dose it mean that I cant disable  recursion?
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39277288
Why do you need forwarders if you're only serving your own zone?  Regardless of that, you can use forwarders with recursion disabled.
0
 

Author Comment

by:ameriaadmin
ID: 39277553
i have dns servers in LAN network and they request dns quires form the dns server in dmz zone. DNS server in DMZ zone have forwarders and requests
After disabling recursion i can't get dns answers.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 14

Expert Comment

by:BlueCompute
ID: 39277636
I'm not following you.  Why is the DNS server in the DMZ again?
0
 

Author Comment

by:ameriaadmin
ID: 39277861
for external services web, mail...
0
 

Author Comment

by:ameriaadmin
ID: 39277870
how can I  use forwarders with recursion disabled?
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39278045
Sorry ameriaadmin, I have given incorrect info.  You can't use forwarders with recursion disabled, what you can do is set 'Do not use recursion' so that the queries will only be made to the specified forwarders.

Did you try creating a dummy zone on your DNS server for ics.org?

http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html
0
 

Author Comment

by:ameriaadmin
ID: 39281385
I have created dummy zone for isc.org but i think it is not a solution. attackers can use other zones.
Does this problem have solution under windows operating system?
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39281442
For your particular setup, ie. a DNS server that needs to be recursive for your internal users, and most also be publicly accessible, there is no better solution - only various methods of mitigating the impact. This is a shortcoming in the design of the DNS system, and it's not specific to Windows. Google "DNS Amplification" and you'll see that everyone from SMB through to ISPs and core providers are suffering from these sorts of attacks at the moment.
Personally, if it was my environment, I'd run 2 DNS servers, one for your internal users with recursion and forwarders enabled, and another just for the zones you need to publish to the internet, with forwarding and recursion disabled.
The basic point here is that enabling forwarding/recursion on a public server allows arbitrary clients to construct requests such that the response is much larger than the request.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39281449
I'd also question weather you really need your DNS server to be public at all - do the IPs that you publish servers on change frequently, or are you authoritative for your own domains? If not, just use your registrar to publish your records for webmail etc, and keep your DNS server private.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39281464
https://www.riskanalytics.com/2013/05/23/dns-amplification-attacks/
"Unless you are providing a public DNS server, you should only be allowing queries for your domain or from IP addresses of your customers. If your DNS server is Internet facing, it should not be configured to allow recursion and only answer queries for which it is authoritative. The bad actors use a recursive DNS server by sending it a query with a spoofed source IP address (address of the victim). The recursive DNS server then replies to the victims address with the answer"
0
 

Author Comment

by:ameriaadmin
ID: 39283598
I think  it will be best solution to permit only ISP's addresses. How can I configure to accept only several IP addresses and allowing queries only for my domains?
0
 
LVL 14

Accepted Solution

by:
BlueCompute earned 500 total points
ID: 39284027
With Windows DNS server, you can't restrict queries by source. What you can do is drop all traffic inbound on port 53 that's not from your ISP at your network edge (via firewall) - that's probably what you'll need to do here.
0
 

Author Closing Comment

by:ameriaadmin
ID: 39289760
With Windows DNS server, you can't restrict queries by source. What you can do is drop all traffic inbound on port 53 that's not from your ISP at your network edge (via firewall) - that's probably what you'll need to do here.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now