Solved

ddos attack on dns servers

Posted on 2014-01-20
22
945 Views
Last Modified: 2014-03-07
hello experts
I think i have ddos attack on our dns servers.
IPS fix the "IP Fragment Too Many Datagrams"  many errors on DNS servers.
how can I protect my dns servers?
I have read that I can restrict ip fragmentation on dns server.
the operating system of dns server si Windows 2012 R2.
thank you
0
Comment
Question by:ameriaadmin
  • 9
  • 5
  • 3
  • +3
22 Comments
 
LVL 25

Assisted Solution

by:Zephyr ICT
Zephyr ICT earned 20 total points
ID: 39793805
Hi, there's loads of information available regarding DNS attacks ... I got most of my sources from this link: http://social.technet.microsoft.com/Forums/windowsserver/en-US/fac86dc7-779d-48eb-a113-9c06c2222af9/protecting-windows-dns-server-from-being-abused-for-dns-amplification-attacks?forum=winserverNIS

Follow the links in the solution for all the necessary information... There's no 1 solution fixes all, you might need to implement more than one fix.

Another interesting read: http://info.menandmice.com/blog/bid/89805/Windows-2012-Server-Preparing-to-sign-a-DNS-zone-with-DNSSEC
0
 

Author Comment

by:ameriaadmin
ID: 39793852
in our dns servers forwarding and they are configured to allow recursive queries from clients. The servers are primary dns servers for our domains.
the suggestions in first link didn't help us.
0
 

Author Comment

by:ameriaadmin
ID: 39794002
and the second link too
0
 
LVL 16

Assisted Solution

by:cantoris
cantoris earned 20 total points
ID: 39846666
Configure Windows firewall to ensure your DNS Servers can only answer queries from YOUR client machines.  Don't offer up recursive querying to anyone on the Internet.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39846681
What firewall / router do you have?  Can you enable Security on that which will prevent such attacks?

Alan
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 460 total points
ID: 39846779
What can you share about your topology? You mention are recursive resolvers as well as hosting domains?

Are those servers open to the outside world (inbound requests)?

If they are, you should split the role of authoritative server from recursive resolver. You should not provide recursive resolution services to anyone other than those you must.

If the servers are public protecting them is going to require a multi-layered approach (defence in depth). Rate limiting is a relatively easy target, assuming you're not limited to the MS platform. Network IPS may help, as will as will any kind of limiting close to the borders of your network.

How suitable any of this is depends entirely on how and why your DNS servers are deployed.

Chris
0
 

Author Comment

by:ameriaadmin
ID: 39846914
cantoris  it is a primary dns server, if i close the server with firewall my subdomains didnt works. the server primary and the ISP dns server secondary.

Alan Hardisty cisco firwall and ips cant stop attack. we have enabled on router copp for dns and activate some signatures  on ips, but it didn't help sufficient.

Chris Dent There are two authoritative dns server in DMZ zone (external DNS servers). there supports our domains and sub domains ( we have another dns server for LAN (internal DNS servers) and they do querys to external servers). DNS servers on windows 2012 R2
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 460 total points
ID: 39846951
I'm surprised the IPS cannot help mitigate this kind of problem, although it would require a fair bit of tuning. However if your DNS servers provide authoritative resolution (to external clients) you have to put up with a certain amount of mess.

Ensure the servers you expose cannot be abused as far as possible (reduce the attack surface). That is, they don't need to allow recursion; They don't need root hints; They don't need to respond about cached entries; etc, etc.

Clearly these steps will not protect against reflection / amplification type attacks (spoofed UDP). You would need sufficient network monitoring and the ability to shut down (discard) UDP traffic flows to stop that. What impact would that have on your DNS infrastructure? Is your DNS service geographically distributed?

Chris
0
 

Author Comment

by:ameriaadmin
ID: 39847009
in wireshark i have seen the   queries for
fkfkfkrf.com
saveroads.ru

it is a dns amplification attack. i dont think that ips can mitigate it.
how have closed may ip addresses for that domains, but it didnt helps again.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 460 total points
ID: 39847075
You can minimise the impact on your own DNS servers in this case by ensuring it will do nothing more than return REFUSED for those queries. At least then your server doesn't have to go and fish for an answer from Root; it doesn't stop amplification, but does limit local damage.

Can you verify that it returns refused? That should reduce the payload in the response to ~30-50 bytes.

The response size is a key aspect of an amplification attack, it should be far larger than the query (amplification, after all). If your server returned the list of Root Hints as a reply that would fit the bill nicely although perhaps something more significant more could be sought (chuck in DNSSEC and it should be possible to find responses of 2 - 3Kb).

Because of the search for large messages, open resolvers are, by far, the most useful targets to anyone considering an amplification attack. This, of course, means you should do your utmost to ensure unnecessary open resolvers are not exposed. An authoritative-only server should return nothing more than the REFUSED response.

That deals with some of the impact, but it's difficult to prevent this kind probing (because at least technically it's not wrong).

If you find yourself to be a significant target you may have to consider that, at some point, you have to pull the plug (metaphorically speaking) on the DNS service for the duration of an attack. In this instance you'd either need to be investing in a clean-and-forward type IPS service, or a geographically distributed DNS system, or both. If you're interested in following that line further I know that the UltraDNS service (hosted / managed DNS can cope).

It is worth noting that BIND has far better control than MS DNS over the degree to which an authoritative server or a resolver is locked down. MS DNS is focused heavily on the internal-authoritative and internal-resolver market, I wouldn't say DNS is a specialist area at the moment. For a start, BIND will let you set rate limiting, MS DNS will not. A platform switch may be more desirable than hosting.

Finally, if the risk is great it's worth highlighting the importance of monitoring. An amplification attack (using your service as a hop) should be coupled with a spike in the number of queries. You can only determine if there's a spike if you've developed a monitoring baseline for your service.

Chris
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 61

Expert Comment

by:btan
ID: 39847121
You may want to catch CERT alert and mitigation

UDP-based Amplification Attacks
http://www.us-cert.gov/ncas/alerts/TA14-017A

DNS Amplification Attacks
http://www.us-cert.gov/ncas/alerts/TA13-088A
0
 

Author Comment

by:ameriaadmin
ID: 39847259
Microsoft DNS Server
It is not currently possible to restrict recursive DNS requests to a particular client address range in Microsoft DNS Server.
what else can i do?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 39847262
Split the roles entirely (separate authoritative and recursive servers), or change the DNS platform (BIND will run on Windows, even if it's a touch less optimal).

Chris
0
 
LVL 61

Expert Comment

by:btan
ID: 39847270
also mentioned in CERT TA ...

 To approximate the functionality of the BIND access control lists in Microsoft’s DNS Server, a different caching-only name server should be set up internally to provide recursive resolution. A firewall rule should be created to block incoming access to the caching-only server from outside the organization’s network. The authoritative name server functionality would then need to be hosted on a separate server, but configured to disable recursion as previously described.
0
 

Assisted Solution

by:ameriaadmin
ameriaadmin earned 0 total points
ID: 39852424
there ware a lot of request from
saveroads.ru
pddos.com
fkfkfkfr.com
iri.so
I have created new empty  zones in our dns server for that domains, and close the ip addresses by firewall.  now the attack traffic is small.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 39852692
It's a very high maintenance method of managing your server. You really should consider a better long term alternative to this.

Chris
0
 

Author Comment

by:ameriaadmin
ID: 39852718
Im agree with you
0
 
LVL 61

Expert Comment

by:btan
ID: 39852762
As in all blacklisting,  it can be a catch up game just like implementing blackholing with known dnsbl. There is provider (such as f5 network) using dns firewall type to offload and possibly whitelisting dns into backend dns server.

Sidenote some suggest that it is best to have dnssec but this is also going to be major  interoperability checks from requestor and provider. And dnssec itself can be another ddos amplification factor if it is not implemented with safeguard since the payload is larger.

http://technet.microsoft.com/en-us/security/hh972393.aspx
0
 

Assisted Solution

by:ameriaadmin
ameriaadmin earned 0 total points
ID: 39899832
i ask isp provider to filter traffic by activating on our interface "verify source routing"
0
 

Author Closing Comment

by:ameriaadmin
ID: 39912003
all marked answers help to solve the issue.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now