Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1891
  • Last Modified:

DNS Amplification DDoS Attacks

hello experts.
I have a dns servers on windows 2008 R2 and i discovered a DNS Amplification DDos Attacks on it. How can I mitigate it?
I had closed some ip addresses but it doesn't helps.
0
ameriaadmin
Asked:
ameriaadmin
  • 11
  • 10
1 Solution
 
dec0mpileCommented:
You have to configure your server to drop the large packets.

The source IP addresses are not spoofed in the IP packets carrying the DNS response messages, so the source addresses identify the open recursive servers the zombies use. Depending on the severity of the attack and how strongly you wish to respond, you can rate-limit traffic from these source IP addresses or use a filtering rule that drops DNS response messages that are suspiciously large (over 512 bytes). In the extreme, you may choose to block traffic from the open recursive servers entirely. These efforts do not squelch the attack sources, and they do not reduce the load on networks and switches between your name server and the open recursive servers. Note that if you block all traffic from these open recursive servers you may interfere with legitimate attempts to resolve names through these servers; for example, some organizations run open recursive servers so that mobile employees can resolve from a "trusted" name server, so such users can be affected.

See this on how to do that with Power Shell
http://technet.microsoft.com/en-us/security/hh972393.aspx

Attack explanation:
http://www.watchguard.com/infocenter/editorial/41649.asp
0
 
BlueComputeCommented:
There's a few approaches to this, depending a lot on how your domain and network are configured. Firstly, do you need to be allowing access to your DNS servers from the internet at all? If not, don't - simply block ports 53 TCP and 53 UDP inbound at your firewall.
If you've already blocked access from the internet to your DNS servers, one of your client computers is likely infected and is the source of the packets - make sure all your client computers are fully updated and have working antivirus.
You also need to look at limiting recursion on your DNS servers to internal clients (this and a few other mitigation steps are described here.
0
 
ameriaadminAuthor Commented:
thank you
have you a configuration guide ?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
ameriaadminAuthor Commented:
I need to permit access form the Internet. It is not a traffic from LAN.
0
 
BlueComputeCommented:
Two steps that could be effective are to disable recursion and to not respond (or send a duff, tiny response) to queries for the zones being used for the amplification attack.

Ifoyou need more info you'll have to give us a little more info about the environment -
Why do you need your DNS server to be publicly accessible?
How did you identify the attack - what symptoms did you see?
What are the malicious requests - what domain / zone?
0
 
ameriaadminAuthor Commented:
I have a DNS service on windows 2008 R2 on DMZ. I have captured the ddos on core router. It has high cpu load. i have many requests for isc.org . I need to answare  only for my zones. The master zone on our servers and the slave zones on ISP's DNS servers.
0
 
BlueComputeCommented:
Run through this one to disable recursion: http://technet.microsoft.com/en-us/library/cc771738.aspx

And create a new zone for isc.org on your DNS server and add one A record with data 127.0.0.1

This won't stop the attack but it should go a long way to mitigating the effects of it and reducing load on your system.
0
 
ameriaadminAuthor Commented:
but I need to use forwarders. Dose it mean that I cant disable  recursion?
0
 
BlueComputeCommented:
Why do you need forwarders if you're only serving your own zone?  Regardless of that, you can use forwarders with recursion disabled.
0
 
ameriaadminAuthor Commented:
i have dns servers in LAN network and they request dns quires form the dns server in dmz zone. DNS server in DMZ zone have forwarders and requests
After disabling recursion i can't get dns answers.
0
 
BlueComputeCommented:
I'm not following you.  Why is the DNS server in the DMZ again?
0
 
ameriaadminAuthor Commented:
for external services web, mail...
0
 
ameriaadminAuthor Commented:
how can I  use forwarders with recursion disabled?
0
 
BlueComputeCommented:
Sorry ameriaadmin, I have given incorrect info.  You can't use forwarders with recursion disabled, what you can do is set 'Do not use recursion' so that the queries will only be made to the specified forwarders.

Did you try creating a dummy zone on your DNS server for ics.org?

http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html
0
 
ameriaadminAuthor Commented:
I have created dummy zone for isc.org but i think it is not a solution. attackers can use other zones.
Does this problem have solution under windows operating system?
0
 
BlueComputeCommented:
For your particular setup, ie. a DNS server that needs to be recursive for your internal users, and most also be publicly accessible, there is no better solution - only various methods of mitigating the impact. This is a shortcoming in the design of the DNS system, and it's not specific to Windows. Google "DNS Amplification" and you'll see that everyone from SMB through to ISPs and core providers are suffering from these sorts of attacks at the moment.
Personally, if it was my environment, I'd run 2 DNS servers, one for your internal users with recursion and forwarders enabled, and another just for the zones you need to publish to the internet, with forwarding and recursion disabled.
The basic point here is that enabling forwarding/recursion on a public server allows arbitrary clients to construct requests such that the response is much larger than the request.
0
 
BlueComputeCommented:
I'd also question weather you really need your DNS server to be public at all - do the IPs that you publish servers on change frequently, or are you authoritative for your own domains? If not, just use your registrar to publish your records for webmail etc, and keep your DNS server private.
0
 
BlueComputeCommented:
https://www.riskanalytics.com/2013/05/23/dns-amplification-attacks/
"Unless you are providing a public DNS server, you should only be allowing queries for your domain or from IP addresses of your customers. If your DNS server is Internet facing, it should not be configured to allow recursion and only answer queries for which it is authoritative. The bad actors use a recursive DNS server by sending it a query with a spoofed source IP address (address of the victim). The recursive DNS server then replies to the victims address with the answer"
0
 
ameriaadminAuthor Commented:
I think  it will be best solution to permit only ISP's addresses. How can I configure to accept only several IP addresses and allowing queries only for my domains?
0
 
BlueComputeCommented:
With Windows DNS server, you can't restrict queries by source. What you can do is drop all traffic inbound on port 53 that's not from your ISP at your network edge (via firewall) - that's probably what you'll need to do here.
0
 
ameriaadminAuthor Commented:
With Windows DNS server, you can't restrict queries by source. What you can do is drop all traffic inbound on port 53 that's not from your ISP at your network edge (via firewall) - that's probably what you'll need to do here.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 11
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now