DNS Attack

Posted on 2013-10-26
Last Modified: 2013-11-22
Small network of about 40 machines with a new SBS2011 server. I was about to ween our server off pop3 when I noticed in our firewall logs about 30-40 DNS (port 53) entries from external IPs happening every second on our wan side. We have outward wan interfaces with static IPs leading to seperate networks. The second has just one box in it. I am seeing these queries on both interfaces. The first step I took was to physically disconnect from the internet, actively scan all the machines that were up (all clean) and flush the sbs DNS cache in case it was poisoned. I reconnected just the router (it is utm appliance with idp) and checked the logs, same thing. I called our ISP and the tech said they hadn't received any alerts for DNS issues, thought my situation was unusual and suggested I add a second firewall. I am not seeing any unusual traffic outbound and I limit outbound traffic to necessary services only.
I could place a multihomed box just inside running wireshark but I wanted to run this by the community for any ideas or anything I have missed.
Question by:Roy17
  • 2
  • 2

Expert Comment

ID: 39603663
1. Block udp port 53 and tcp port 53 for incoming connections.
2. Set the DNS up so it does not answer to recursive lookups from other than your localnet.
LVL 61

Assisted Solution

btan earned 250 total points
ID: 39603700
if it is outbound, trace down to the machine spawning off the DNS call but if it is DNS call from external as mentioned unlikely you can shelved it aside unless the source is not legit as in RBL / DNSBL lookup which goes together typically in email spam filter ..

In general, I see that you can consider apply your filtering in layers, if it all possible:
- hardware upstream of your server act as one layer to reject this malicious traffic
- blocking an IP to rate limiting the number of connection attempts allowed
- monitors the log files and will dynamically respond to these attempts as second layer
- add white and black list filtering to you application or systems targeted as third layer

Understand it does not solve the issue esp if the source IP randomised like a botnet. Meanhwhile, besides scanning client, also do some internal checks such as
- identify any open recursive resolvers
- do not allow unrestricted recursive resolution for any client on the Internet
- use DNSInspect (web-based tool) for testing DNS resolvers

Do catch CERT DNS alert advisory and it may come handy :

PS, adding more FW doesnt solve - probably just matching the load but it can be ongoing ..

Author Comment

ID: 39603983
HalldorG, thanks. We have been blocking port 53 incoming from the get go. We only have an rule to allow HTTPS and deny everything else. The DNS A record pointing to our HTTPS interface is on our hosting service (which acts as our parent name server for our domain name).The DNS server on the SBS is mainly to provide DNS for clients internet access. Disabling recursion essentially kills that.

breadtan, it looks external and somewhat randomized. I get about 20-30 from each source.
This DNS is internal (and the only one), it does use recursion but is set to answer only on the server interface. Our firewall blocks all incoming port 53 requests period. In fact all ports reject packets and have been except HTTPS. I am still not seeing any unusual traffic on the outgoing interface. I will definitely scan any machines that are off for the weekend as they come online. Our parent name server (hosting service) which handles DNS for our registered domain (and has A records pointing to our two interfaces) grades out as "A" with DNS Inspect. Will hardware upstream of our internal server be of benefit in this instance?

Anything else? Or should I just ride it out and closely monitor it? Being in our own little corner of the universe I do wonder how this came about.

Accepted Solution

HalldorG earned 250 total points
ID: 39604107
This is so called dns amplification attack.  A dns query of 70 bytes can give answer of 4000 bytes TXT record to the address the attacker spoofs.
It also kills that firewall as it needs a lot of CPU to control the DNS inspects.

Author Closing Comment

ID: 39604256

Yes, that is it. Our firewall is consistently staying at or below 20% usage. It appears all that can be done is continue to monitor it and double check internally as the cause concerns me.

Thanks to you and breadtan for the info.

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now