Solved

DNS Attack

Posted on 2013-10-26
5
694 Views
Last Modified: 2013-11-22
Small network of about 40 machines with a new SBS2011 server. I was about to ween our server off pop3 when I noticed in our firewall logs about 30-40 DNS (port 53) entries from external IPs happening every second on our wan side. We have outward wan interfaces with static IPs leading to seperate networks. The second has just one box in it. I am seeing these queries on both interfaces. The first step I took was to physically disconnect from the internet, actively scan all the machines that were up (all clean) and flush the sbs DNS cache in case it was poisoned. I reconnected just the router (it is utm appliance with idp) and checked the logs, same thing. I called our ISP and the tech said they hadn't received any alerts for DNS issues, thought my situation was unusual and suggested I add a second firewall. I am not seeing any unusual traffic outbound and I limit outbound traffic to necessary services only.
I could place a multihomed box just inside running wireshark but I wanted to run this by the community for any ideas or anything I have missed.
0
Comment
Question by:Roy17
  • 2
  • 2
5 Comments
 
LVL 7

Expert Comment

by:HalldorG
ID: 39603663
1. Block udp port 53 and tcp port 53 for incoming connections.
2. Set the DNS up so it does not answer to recursive lookups from other than your localnet.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 39603700
if it is outbound, trace down to the machine spawning off the DNS call but if it is DNS call from external as mentioned unlikely you can shelved it aside unless the source is not legit as in RBL / DNSBL lookup which goes together typically in email spam filter ..
http://www.spamhaus.org/faq/section/DNSBL%20Usage#30
http://www.spamhaus.org/faq/section/DNSBL%20Usage#365

In general, I see that you can consider apply your filtering in layers, if it all possible:
- hardware upstream of your server act as one layer to reject this malicious traffic
- blocking an IP to rate limiting the number of connection attempts allowed
- monitors the log files and will dynamically respond to these attempts as second layer
- add white and black list filtering to you application or systems targeted as third layer

Understand it does not solve the issue esp if the source IP randomised like a botnet. Meanhwhile, besides scanning client, also do some internal checks such as
- identify any open recursive resolvers
- do not allow unrestricted recursive resolution for any client on the Internet
- use DNSInspect (web-based tool) for testing DNS resolvers

Do catch CERT DNS alert advisory and it may come handy :
http://www.us-cert.gov/ncas/alerts/TA13-088A

PS, adding more FW doesnt solve - probably just matching the load but it can be ongoing ..
0
 

Author Comment

by:Roy17
ID: 39603983
HalldorG, thanks. We have been blocking port 53 incoming from the get go. We only have an rule to allow HTTPS and deny everything else. The DNS A record pointing to our HTTPS interface is on our hosting service (which acts as our parent name server for our domain name).The DNS server on the SBS is mainly to provide DNS for clients internet access. Disabling recursion essentially kills that.

breadtan, it looks external and somewhat randomized. I get about 20-30 from each source.
This DNS is internal (and the only one), it does use recursion but is set to answer only on the server interface. Our firewall blocks all incoming port 53 requests period. In fact all ports reject packets and have been except HTTPS. I am still not seeing any unusual traffic on the outgoing interface. I will definitely scan any machines that are off for the weekend as they come online. Our parent name server (hosting service) which handles DNS for our registered domain (and has A records pointing to our two interfaces) grades out as "A" with DNS Inspect. Will hardware upstream of our internal server be of benefit in this instance?

Anything else? Or should I just ride it out and closely monitor it? Being in our own little corner of the universe I do wonder how this came about.
0
 
LVL 7

Accepted Solution

by:
HalldorG earned 250 total points
ID: 39604107
This is so called dns amplification attack.  A dns query of 70 bytes can give answer of 4000 bytes TXT record to the address the attacker spoofs.
It also kills that firewall as it needs a lot of CPU to control the DNS inspects.
0
 

Author Closing Comment

by:Roy17
ID: 39604256
HalldorG,

Yes, that is it. Our firewall is consistently staying at or below 20% usage. It appears all that can be done is continue to monitor it and double check internally as the cause concerns me.

Thanks to you and breadtan for the info.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now