Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1107
  • Last Modified:

ddos attack on dns servers

hello experts
I think i have ddos attack on our dns servers.
IPS fix the "IP Fragment Too Many Datagrams"  many errors on DNS servers.
how can I protect my dns servers?
I have read that I can restrict ip fragmentation on dns server.
the operating system of dns server si Windows 2012 R2.
thank you
0
ameriaadmin
Asked:
ameriaadmin
  • 9
  • 5
  • 3
  • +3
7 Solutions
 
Zephyr ICTCloud ArchitectCommented:
Hi, there's loads of information available regarding DNS attacks ... I got most of my sources from this link: http://social.technet.microsoft.com/Forums/windowsserver/en-US/fac86dc7-779d-48eb-a113-9c06c2222af9/protecting-windows-dns-server-from-being-abused-for-dns-amplification-attacks?forum=winserverNIS

Follow the links in the solution for all the necessary information... There's no 1 solution fixes all, you might need to implement more than one fix.

Another interesting read: http://info.menandmice.com/blog/bid/89805/Windows-2012-Server-Preparing-to-sign-a-DNS-zone-with-DNSSEC
0
 
ameriaadminAuthor Commented:
in our dns servers forwarding and they are configured to allow recursive queries from clients. The servers are primary dns servers for our domains.
the suggestions in first link didn't help us.
0
 
ameriaadminAuthor Commented:
and the second link too
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
cantorisCommented:
Configure Windows firewall to ensure your DNS Servers can only answer queries from YOUR client machines.  Don't offer up recursive querying to anyone on the Internet.
0
 
Alan HardistyCo-OwnerCommented:
What firewall / router do you have?  Can you enable Security on that which will prevent such attacks?

Alan
0
 
Chris DentPowerShell DeveloperCommented:
What can you share about your topology? You mention are recursive resolvers as well as hosting domains?

Are those servers open to the outside world (inbound requests)?

If they are, you should split the role of authoritative server from recursive resolver. You should not provide recursive resolution services to anyone other than those you must.

If the servers are public protecting them is going to require a multi-layered approach (defence in depth). Rate limiting is a relatively easy target, assuming you're not limited to the MS platform. Network IPS may help, as will as will any kind of limiting close to the borders of your network.

How suitable any of this is depends entirely on how and why your DNS servers are deployed.

Chris
0
 
ameriaadminAuthor Commented:
cantoris  it is a primary dns server, if i close the server with firewall my subdomains didnt works. the server primary and the ISP dns server secondary.

Alan Hardisty cisco firwall and ips cant stop attack. we have enabled on router copp for dns and activate some signatures  on ips, but it didn't help sufficient.

Chris Dent There are two authoritative dns server in DMZ zone (external DNS servers). there supports our domains and sub domains ( we have another dns server for LAN (internal DNS servers) and they do querys to external servers). DNS servers on windows 2012 R2
0
 
Chris DentPowerShell DeveloperCommented:
I'm surprised the IPS cannot help mitigate this kind of problem, although it would require a fair bit of tuning. However if your DNS servers provide authoritative resolution (to external clients) you have to put up with a certain amount of mess.

Ensure the servers you expose cannot be abused as far as possible (reduce the attack surface). That is, they don't need to allow recursion; They don't need root hints; They don't need to respond about cached entries; etc, etc.

Clearly these steps will not protect against reflection / amplification type attacks (spoofed UDP). You would need sufficient network monitoring and the ability to shut down (discard) UDP traffic flows to stop that. What impact would that have on your DNS infrastructure? Is your DNS service geographically distributed?

Chris
0
 
ameriaadminAuthor Commented:
in wireshark i have seen the   queries for
fkfkfkrf.com
saveroads.ru

it is a dns amplification attack. i dont think that ips can mitigate it.
how have closed may ip addresses for that domains, but it didnt helps again.
0
 
Chris DentPowerShell DeveloperCommented:
You can minimise the impact on your own DNS servers in this case by ensuring it will do nothing more than return REFUSED for those queries. At least then your server doesn't have to go and fish for an answer from Root; it doesn't stop amplification, but does limit local damage.

Can you verify that it returns refused? That should reduce the payload in the response to ~30-50 bytes.

The response size is a key aspect of an amplification attack, it should be far larger than the query (amplification, after all). If your server returned the list of Root Hints as a reply that would fit the bill nicely although perhaps something more significant more could be sought (chuck in DNSSEC and it should be possible to find responses of 2 - 3Kb).

Because of the search for large messages, open resolvers are, by far, the most useful targets to anyone considering an amplification attack. This, of course, means you should do your utmost to ensure unnecessary open resolvers are not exposed. An authoritative-only server should return nothing more than the REFUSED response.

That deals with some of the impact, but it's difficult to prevent this kind probing (because at least technically it's not wrong).

If you find yourself to be a significant target you may have to consider that, at some point, you have to pull the plug (metaphorically speaking) on the DNS service for the duration of an attack. In this instance you'd either need to be investing in a clean-and-forward type IPS service, or a geographically distributed DNS system, or both. If you're interested in following that line further I know that the UltraDNS service (hosted / managed DNS can cope).

It is worth noting that BIND has far better control than MS DNS over the degree to which an authoritative server or a resolver is locked down. MS DNS is focused heavily on the internal-authoritative and internal-resolver market, I wouldn't say DNS is a specialist area at the moment. For a start, BIND will let you set rate limiting, MS DNS will not. A platform switch may be more desirable than hosting.

Finally, if the risk is great it's worth highlighting the importance of monitoring. An amplification attack (using your service as a hop) should be coupled with a spike in the number of queries. You can only determine if there's a spike if you've developed a monitoring baseline for your service.

Chris
0
 
btanExec ConsultantCommented:
You may want to catch CERT alert and mitigation

UDP-based Amplification Attacks
http://www.us-cert.gov/ncas/alerts/TA14-017A

DNS Amplification Attacks
http://www.us-cert.gov/ncas/alerts/TA13-088A
0
 
ameriaadminAuthor Commented:
Microsoft DNS Server
It is not currently possible to restrict recursive DNS requests to a particular client address range in Microsoft DNS Server.
what else can i do?
0
 
Chris DentPowerShell DeveloperCommented:
Split the roles entirely (separate authoritative and recursive servers), or change the DNS platform (BIND will run on Windows, even if it's a touch less optimal).

Chris
0
 
btanExec ConsultantCommented:
also mentioned in CERT TA ...

 To approximate the functionality of the BIND access control lists in Microsoft’s DNS Server, a different caching-only name server should be set up internally to provide recursive resolution. A firewall rule should be created to block incoming access to the caching-only server from outside the organization’s network. The authoritative name server functionality would then need to be hosted on a separate server, but configured to disable recursion as previously described.
0
 
ameriaadminAuthor Commented:
there ware a lot of request from
saveroads.ru
pddos.com
fkfkfkfr.com
iri.so
I have created new empty  zones in our dns server for that domains, and close the ip addresses by firewall.  now the attack traffic is small.
0
 
Chris DentPowerShell DeveloperCommented:
It's a very high maintenance method of managing your server. You really should consider a better long term alternative to this.

Chris
0
 
ameriaadminAuthor Commented:
Im agree with you
0
 
btanExec ConsultantCommented:
As in all blacklisting,  it can be a catch up game just like implementing blackholing with known dnsbl. There is provider (such as f5 network) using dns firewall type to offload and possibly whitelisting dns into backend dns server.

Sidenote some suggest that it is best to have dnssec but this is also going to be major  interoperability checks from requestor and provider. And dnssec itself can be another ddos amplification factor if it is not implemented with safeguard since the payload is larger.

http://technet.microsoft.com/en-us/security/hh972393.aspx
0
 
ameriaadminAuthor Commented:
i ask isp provider to filter traffic by activating on our interface "verify source routing"
0
 
ameriaadminAuthor Commented:
all marked answers help to solve the issue.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 9
  • 5
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now