Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


DNS Attack

Posted on 2013-10-26
Medium Priority
Last Modified: 2013-11-22
Small network of about 40 machines with a new SBS2011 server. I was about to ween our server off pop3 when I noticed in our firewall logs about 30-40 DNS (port 53) entries from external IPs happening every second on our wan side. We have outward wan interfaces with static IPs leading to seperate networks. The second has just one box in it. I am seeing these queries on both interfaces. The first step I took was to physically disconnect from the internet, actively scan all the machines that were up (all clean) and flush the sbs DNS cache in case it was poisoned. I reconnected just the router (it is utm appliance with idp) and checked the logs, same thing. I called our ISP and the tech said they hadn't received any alerts for DNS issues, thought my situation was unusual and suggested I add a second firewall. I am not seeing any unusual traffic outbound and I limit outbound traffic to necessary services only.
I could place a multihomed box just inside running wireshark but I wanted to run this by the community for any ideas or anything I have missed.
Question by:Roy17
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 39603663
1. Block udp port 53 and tcp port 53 for incoming connections.
2. Set the DNS up so it does not answer to recursive lookups from other than your localnet.
LVL 65

Assisted Solution

btan earned 1000 total points
ID: 39603700
if it is outbound, trace down to the machine spawning off the DNS call but if it is DNS call from external as mentioned unlikely you can shelved it aside unless the source is not legit as in RBL / DNSBL lookup which goes together typically in email spam filter ..

In general, I see that you can consider apply your filtering in layers, if it all possible:
- hardware upstream of your server act as one layer to reject this malicious traffic
- blocking an IP to rate limiting the number of connection attempts allowed
- monitors the log files and will dynamically respond to these attempts as second layer
- add white and black list filtering to you application or systems targeted as third layer

Understand it does not solve the issue esp if the source IP randomised like a botnet. Meanhwhile, besides scanning client, also do some internal checks such as
- identify any open recursive resolvers
- do not allow unrestricted recursive resolution for any client on the Internet
- use DNSInspect (web-based tool) for testing DNS resolvers

Do catch CERT DNS alert advisory and it may come handy :

PS, adding more FW doesnt solve - probably just matching the load but it can be ongoing ..

Author Comment

ID: 39603983
HalldorG, thanks. We have been blocking port 53 incoming from the get go. We only have an rule to allow HTTPS and deny everything else. The DNS A record pointing to our HTTPS interface is on our hosting service (which acts as our parent name server for our domain name).The DNS server on the SBS is mainly to provide DNS for clients internet access. Disabling recursion essentially kills that.

breadtan, it looks external and somewhat randomized. I get about 20-30 from each source.
This DNS is internal (and the only one), it does use recursion but is set to answer only on the server interface. Our firewall blocks all incoming port 53 requests period. In fact all ports reject packets and have been except HTTPS. I am still not seeing any unusual traffic on the outgoing interface. I will definitely scan any machines that are off for the weekend as they come online. Our parent name server (hosting service) which handles DNS for our registered domain (and has A records pointing to our two interfaces) grades out as "A" with DNS Inspect. Will hardware upstream of our internal server be of benefit in this instance?

Anything else? Or should I just ride it out and closely monitor it? Being in our own little corner of the universe I do wonder how this came about.

Accepted Solution

HalldorG earned 1000 total points
ID: 39604107
This is so called dns amplification attack.  A dns query of 70 bytes can give answer of 4000 bytes TXT record to the address the attacker spoofs.
It also kills that firewall as it needs a lot of CPU to control the DNS inspects.

Author Closing Comment

ID: 39604256

Yes, that is it. Our firewall is consistently staying at or below 20% usage. It appears all that can be done is continue to monitor it and double check internally as the cause concerns me.

Thanks to you and breadtan for the info.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question