Solved

DNS Amplification DDoS Attacks

Posted on 2013-06-25
22
1,610 Views
Last Modified: 2013-07-01
hello experts.
I have a dns servers on windows 2008 R2 and i discovered a DNS Amplification DDos Attacks on it. How can I mitigate it?
I had closed some ip addresses but it doesn't helps.
0
Comment
Question by:ameriaadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 10
22 Comments
 
LVL 7

Expert Comment

by:dec0mpile
ID: 39274730
You have to configure your server to drop the large packets.

The source IP addresses are not spoofed in the IP packets carrying the DNS response messages, so the source addresses identify the open recursive servers the zombies use. Depending on the severity of the attack and how strongly you wish to respond, you can rate-limit traffic from these source IP addresses or use a filtering rule that drops DNS response messages that are suspiciously large (over 512 bytes). In the extreme, you may choose to block traffic from the open recursive servers entirely. These efforts do not squelch the attack sources, and they do not reduce the load on networks and switches between your name server and the open recursive servers. Note that if you block all traffic from these open recursive servers you may interfere with legitimate attempts to resolve names through these servers; for example, some organizations run open recursive servers so that mobile employees can resolve from a "trusted" name server, so such users can be affected.

See this on how to do that with Power Shell
http://technet.microsoft.com/en-us/security/hh972393.aspx

Attack explanation:
http://www.watchguard.com/infocenter/editorial/41649.asp
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39274738
There's a few approaches to this, depending a lot on how your domain and network are configured. Firstly, do you need to be allowing access to your DNS servers from the internet at all? If not, don't - simply block ports 53 TCP and 53 UDP inbound at your firewall.
If you've already blocked access from the internet to your DNS servers, one of your client computers is likely infected and is the source of the packets - make sure all your client computers are fully updated and have working antivirus.
You also need to look at limiting recursion on your DNS servers to internal clients (this and a few other mitigation steps are described here.
0
 

Author Comment

by:ameriaadmin
ID: 39274765
thank you
have you a configuration guide ?
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:ameriaadmin
ID: 39274776
I need to permit access form the Internet. It is not a traffic from LAN.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39274856
Two steps that could be effective are to disable recursion and to not respond (or send a duff, tiny response) to queries for the zones being used for the amplification attack.

Ifoyou need more info you'll have to give us a little more info about the environment -
Why do you need your DNS server to be publicly accessible?
How did you identify the attack - what symptoms did you see?
What are the malicious requests - what domain / zone?
0
 

Author Comment

by:ameriaadmin
ID: 39274879
I have a DNS service on windows 2008 R2 on DMZ. I have captured the ddos on core router. It has high cpu load. i have many requests for isc.org . I need to answare  only for my zones. The master zone on our servers and the slave zones on ISP's DNS servers.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39274900
Run through this one to disable recursion: http://technet.microsoft.com/en-us/library/cc771738.aspx

And create a new zone for isc.org on your DNS server and add one A record with data 127.0.0.1

This won't stop the attack but it should go a long way to mitigating the effects of it and reducing load on your system.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39275052
0
 

Author Comment

by:ameriaadmin
ID: 39277101
but I need to use forwarders. Dose it mean that I cant disable  recursion?
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39277288
Why do you need forwarders if you're only serving your own zone?  Regardless of that, you can use forwarders with recursion disabled.
0
 

Author Comment

by:ameriaadmin
ID: 39277553
i have dns servers in LAN network and they request dns quires form the dns server in dmz zone. DNS server in DMZ zone have forwarders and requests
After disabling recursion i can't get dns answers.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39277636
I'm not following you.  Why is the DNS server in the DMZ again?
0
 

Author Comment

by:ameriaadmin
ID: 39277861
for external services web, mail...
0
 

Author Comment

by:ameriaadmin
ID: 39277870
how can I  use forwarders with recursion disabled?
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39278045
Sorry ameriaadmin, I have given incorrect info.  You can't use forwarders with recursion disabled, what you can do is set 'Do not use recursion' so that the queries will only be made to the specified forwarders.

Did you try creating a dummy zone on your DNS server for ics.org?

http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html
0
 

Author Comment

by:ameriaadmin
ID: 39281385
I have created dummy zone for isc.org but i think it is not a solution. attackers can use other zones.
Does this problem have solution under windows operating system?
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39281442
For your particular setup, ie. a DNS server that needs to be recursive for your internal users, and most also be publicly accessible, there is no better solution - only various methods of mitigating the impact. This is a shortcoming in the design of the DNS system, and it's not specific to Windows. Google "DNS Amplification" and you'll see that everyone from SMB through to ISPs and core providers are suffering from these sorts of attacks at the moment.
Personally, if it was my environment, I'd run 2 DNS servers, one for your internal users with recursion and forwarders enabled, and another just for the zones you need to publish to the internet, with forwarding and recursion disabled.
The basic point here is that enabling forwarding/recursion on a public server allows arbitrary clients to construct requests such that the response is much larger than the request.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39281449
I'd also question weather you really need your DNS server to be public at all - do the IPs that you publish servers on change frequently, or are you authoritative for your own domains? If not, just use your registrar to publish your records for webmail etc, and keep your DNS server private.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39281464
https://www.riskanalytics.com/2013/05/23/dns-amplification-attacks/
"Unless you are providing a public DNS server, you should only be allowing queries for your domain or from IP addresses of your customers. If your DNS server is Internet facing, it should not be configured to allow recursion and only answer queries for which it is authoritative. The bad actors use a recursive DNS server by sending it a query with a spoofed source IP address (address of the victim). The recursive DNS server then replies to the victims address with the answer"
0
 

Author Comment

by:ameriaadmin
ID: 39283598
I think  it will be best solution to permit only ISP's addresses. How can I configure to accept only several IP addresses and allowing queries only for my domains?
0
 
LVL 14

Accepted Solution

by:
BlueCompute earned 500 total points
ID: 39284027
With Windows DNS server, you can't restrict queries by source. What you can do is drop all traffic inbound on port 53 that's not from your ISP at your network edge (via firewall) - that's probably what you'll need to do here.
0
 

Author Closing Comment

by:ameriaadmin
ID: 39289760
With Windows DNS server, you can't restrict queries by source. What you can do is drop all traffic inbound on port 53 that's not from your ISP at your network edge (via firewall) - that's probably what you'll need to do here.
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question