[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 716
  • Last Modified:

DNS Attack

Small network of about 40 machines with a new SBS2011 server. I was about to ween our server off pop3 when I noticed in our firewall logs about 30-40 DNS (port 53) entries from external IPs happening every second on our wan side. We have outward wan interfaces with static IPs leading to seperate networks. The second has just one box in it. I am seeing these queries on both interfaces. The first step I took was to physically disconnect from the internet, actively scan all the machines that were up (all clean) and flush the sbs DNS cache in case it was poisoned. I reconnected just the router (it is utm appliance with idp) and checked the logs, same thing. I called our ISP and the tech said they hadn't received any alerts for DNS issues, thought my situation was unusual and suggested I add a second firewall. I am not seeing any unusual traffic outbound and I limit outbound traffic to necessary services only.
I could place a multihomed box just inside running wireshark but I wanted to run this by the community for any ideas or anything I have missed.
0
Roy17
Asked:
Roy17
  • 2
  • 2
2 Solutions
 
HalldorGCommented:
1. Block udp port 53 and tcp port 53 for incoming connections.
2. Set the DNS up so it does not answer to recursive lookups from other than your localnet.
0
 
btanExec ConsultantCommented:
if it is outbound, trace down to the machine spawning off the DNS call but if it is DNS call from external as mentioned unlikely you can shelved it aside unless the source is not legit as in RBL / DNSBL lookup which goes together typically in email spam filter ..
http://www.spamhaus.org/faq/section/DNSBL%20Usage#30
http://www.spamhaus.org/faq/section/DNSBL%20Usage#365

In general, I see that you can consider apply your filtering in layers, if it all possible:
- hardware upstream of your server act as one layer to reject this malicious traffic
- blocking an IP to rate limiting the number of connection attempts allowed
- monitors the log files and will dynamically respond to these attempts as second layer
- add white and black list filtering to you application or systems targeted as third layer

Understand it does not solve the issue esp if the source IP randomised like a botnet. Meanhwhile, besides scanning client, also do some internal checks such as
- identify any open recursive resolvers
- do not allow unrestricted recursive resolution for any client on the Internet
- use DNSInspect (web-based tool) for testing DNS resolvers

Do catch CERT DNS alert advisory and it may come handy :
http://www.us-cert.gov/ncas/alerts/TA13-088A

PS, adding more FW doesnt solve - probably just matching the load but it can be ongoing ..
0
 
Roy17Author Commented:
HalldorG, thanks. We have been blocking port 53 incoming from the get go. We only have an rule to allow HTTPS and deny everything else. The DNS A record pointing to our HTTPS interface is on our hosting service (which acts as our parent name server for our domain name).The DNS server on the SBS is mainly to provide DNS for clients internet access. Disabling recursion essentially kills that.

breadtan, it looks external and somewhat randomized. I get about 20-30 from each source.
This DNS is internal (and the only one), it does use recursion but is set to answer only on the server interface. Our firewall blocks all incoming port 53 requests period. In fact all ports reject packets and have been except HTTPS. I am still not seeing any unusual traffic on the outgoing interface. I will definitely scan any machines that are off for the weekend as they come online. Our parent name server (hosting service) which handles DNS for our registered domain (and has A records pointing to our two interfaces) grades out as "A" with DNS Inspect. Will hardware upstream of our internal server be of benefit in this instance?

Anything else? Or should I just ride it out and closely monitor it? Being in our own little corner of the universe I do wonder how this came about.
0
 
HalldorGCommented:
This is so called dns amplification attack.  A dns query of 70 bytes can give answer of 4000 bytes TXT record to the address the attacker spoofs.
It also kills that firewall as it needs a lot of CPU to control the DNS inspects.
0
 
Roy17Author Commented:
HalldorG,

Yes, that is it. Our firewall is consistently staying at or below 20% usage. It appears all that can be done is continue to monitor it and double check internally as the cause concerns me.

Thanks to you and breadtan for the info.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now