Solved

DNS Amplification DDoS Attacks

Posted on 2013-06-25
22
1,537 Views
Last Modified: 2013-07-01
hello experts.
I have a dns servers on windows 2008 R2 and i discovered a DNS Amplification DDos Attacks on it. How can I mitigate it?
I had closed some ip addresses but it doesn't helps.
0
Comment
Question by:ameriaadmin
  • 11
  • 10
22 Comments
 
LVL 7

Expert Comment

by:dec0mpile
ID: 39274730
You have to configure your server to drop the large packets.

The source IP addresses are not spoofed in the IP packets carrying the DNS response messages, so the source addresses identify the open recursive servers the zombies use. Depending on the severity of the attack and how strongly you wish to respond, you can rate-limit traffic from these source IP addresses or use a filtering rule that drops DNS response messages that are suspiciously large (over 512 bytes). In the extreme, you may choose to block traffic from the open recursive servers entirely. These efforts do not squelch the attack sources, and they do not reduce the load on networks and switches between your name server and the open recursive servers. Note that if you block all traffic from these open recursive servers you may interfere with legitimate attempts to resolve names through these servers; for example, some organizations run open recursive servers so that mobile employees can resolve from a "trusted" name server, so such users can be affected.

See this on how to do that with Power Shell
http://technet.microsoft.com/en-us/security/hh972393.aspx

Attack explanation:
http://www.watchguard.com/infocenter/editorial/41649.asp
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39274738
There's a few approaches to this, depending a lot on how your domain and network are configured. Firstly, do you need to be allowing access to your DNS servers from the internet at all? If not, don't - simply block ports 53 TCP and 53 UDP inbound at your firewall.
If you've already blocked access from the internet to your DNS servers, one of your client computers is likely infected and is the source of the packets - make sure all your client computers are fully updated and have working antivirus.
You also need to look at limiting recursion on your DNS servers to internal clients (this and a few other mitigation steps are described here.
0
 

Author Comment

by:ameriaadmin
ID: 39274765
thank you
have you a configuration guide ?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:ameriaadmin
ID: 39274776
I need to permit access form the Internet. It is not a traffic from LAN.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39274856
Two steps that could be effective are to disable recursion and to not respond (or send a duff, tiny response) to queries for the zones being used for the amplification attack.

Ifoyou need more info you'll have to give us a little more info about the environment -
Why do you need your DNS server to be publicly accessible?
How did you identify the attack - what symptoms did you see?
What are the malicious requests - what domain / zone?
0
 

Author Comment

by:ameriaadmin
ID: 39274879
I have a DNS service on windows 2008 R2 on DMZ. I have captured the ddos on core router. It has high cpu load. i have many requests for isc.org . I need to answare  only for my zones. The master zone on our servers and the slave zones on ISP's DNS servers.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39274900
Run through this one to disable recursion: http://technet.microsoft.com/en-us/library/cc771738.aspx

And create a new zone for isc.org on your DNS server and add one A record with data 127.0.0.1

This won't stop the attack but it should go a long way to mitigating the effects of it and reducing load on your system.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39275052
0
 

Author Comment

by:ameriaadmin
ID: 39277101
but I need to use forwarders. Dose it mean that I cant disable  recursion?
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39277288
Why do you need forwarders if you're only serving your own zone?  Regardless of that, you can use forwarders with recursion disabled.
0
 

Author Comment

by:ameriaadmin
ID: 39277553
i have dns servers in LAN network and they request dns quires form the dns server in dmz zone. DNS server in DMZ zone have forwarders and requests
After disabling recursion i can't get dns answers.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39277636
I'm not following you.  Why is the DNS server in the DMZ again?
0
 

Author Comment

by:ameriaadmin
ID: 39277861
for external services web, mail...
0
 

Author Comment

by:ameriaadmin
ID: 39277870
how can I  use forwarders with recursion disabled?
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39278045
Sorry ameriaadmin, I have given incorrect info.  You can't use forwarders with recursion disabled, what you can do is set 'Do not use recursion' so that the queries will only be made to the specified forwarders.

Did you try creating a dummy zone on your DNS server for ics.org?

http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html
0
 

Author Comment

by:ameriaadmin
ID: 39281385
I have created dummy zone for isc.org but i think it is not a solution. attackers can use other zones.
Does this problem have solution under windows operating system?
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39281442
For your particular setup, ie. a DNS server that needs to be recursive for your internal users, and most also be publicly accessible, there is no better solution - only various methods of mitigating the impact. This is a shortcoming in the design of the DNS system, and it's not specific to Windows. Google "DNS Amplification" and you'll see that everyone from SMB through to ISPs and core providers are suffering from these sorts of attacks at the moment.
Personally, if it was my environment, I'd run 2 DNS servers, one for your internal users with recursion and forwarders enabled, and another just for the zones you need to publish to the internet, with forwarding and recursion disabled.
The basic point here is that enabling forwarding/recursion on a public server allows arbitrary clients to construct requests such that the response is much larger than the request.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39281449
I'd also question weather you really need your DNS server to be public at all - do the IPs that you publish servers on change frequently, or are you authoritative for your own domains? If not, just use your registrar to publish your records for webmail etc, and keep your DNS server private.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39281464
https://www.riskanalytics.com/2013/05/23/dns-amplification-attacks/
"Unless you are providing a public DNS server, you should only be allowing queries for your domain or from IP addresses of your customers. If your DNS server is Internet facing, it should not be configured to allow recursion and only answer queries for which it is authoritative. The bad actors use a recursive DNS server by sending it a query with a spoofed source IP address (address of the victim). The recursive DNS server then replies to the victims address with the answer"
0
 

Author Comment

by:ameriaadmin
ID: 39283598
I think  it will be best solution to permit only ISP's addresses. How can I configure to accept only several IP addresses and allowing queries only for my domains?
0
 
LVL 14

Accepted Solution

by:
BlueCompute earned 500 total points
ID: 39284027
With Windows DNS server, you can't restrict queries by source. What you can do is drop all traffic inbound on port 53 that's not from your ISP at your network edge (via firewall) - that's probably what you'll need to do here.
0
 

Author Closing Comment

by:ameriaadmin
ID: 39289760
With Windows DNS server, you can't restrict queries by source. What you can do is drop all traffic inbound on port 53 that's not from your ISP at your network edge (via firewall) - that's probably what you'll need to do here.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question