ddos attack on dns servers
hello experts
I think i have ddos attack on our dns servers.
IPS fix the "IP Fragment Too Many Datagrams" many errors on DNS servers.
how can I protect my dns servers?
I have read that I can restrict ip fragmentation on dns server.
the operating system of dns server si Windows 2012 R2.
thank you
I think i have ddos attack on our dns servers.
IPS fix the "IP Fragment Too Many Datagrams" many errors on DNS servers.
how can I protect my dns servers?
I have read that I can restrict ip fragmentation on dns server.
the operating system of dns server si Windows 2012 R2.
thank you
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
and the second link too
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What firewall / router do you have? Can you enable Security on that which will prevent such attacks?
Alan
Alan
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
cantoris it is a primary dns server, if i close the server with firewall my subdomains didnt works. the server primary and the ISP dns server secondary.
Alan Hardisty cisco firwall and ips cant stop attack. we have enabled on router copp for dns and activate some signatures on ips, but it didn't help sufficient.
Chris Dent There are two authoritative dns server in DMZ zone (external DNS servers). there supports our domains and sub domains ( we have another dns server for LAN (internal DNS servers) and they do querys to external servers). DNS servers on windows 2012 R2
Alan Hardisty cisco firwall and ips cant stop attack. we have enabled on router copp for dns and activate some signatures on ips, but it didn't help sufficient.
Chris Dent There are two authoritative dns server in DMZ zone (external DNS servers). there supports our domains and sub domains ( we have another dns server for LAN (internal DNS servers) and they do querys to external servers). DNS servers on windows 2012 R2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
in wireshark i have seen the queries for
fkfkfkrf.com
saveroads.ru
it is a dns amplification attack. i dont think that ips can mitigate it.
how have closed may ip addresses for that domains, but it didnt helps again.
fkfkfkrf.com
saveroads.ru
it is a dns amplification attack. i dont think that ips can mitigate it.
how have closed may ip addresses for that domains, but it didnt helps again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You may want to catch CERT alert and mitigation
UDP-based Amplification Attacks
http://www.us-cert.gov/ncas/alerts/TA14-017A
DNS Amplification Attacks
http://www.us-cert.gov/ncas/alerts/TA13-088A
UDP-based Amplification Attacks
http://www.us-cert.gov/ncas/alerts/TA14-017A
DNS Amplification Attacks
http://www.us-cert.gov/ncas/alerts/TA13-088A
ASKER
Microsoft DNS Server
It is not currently possible to restrict recursive DNS requests to a particular client address range in Microsoft DNS Server.
what else can i do?
It is not currently possible to restrict recursive DNS requests to a particular client address range in Microsoft DNS Server.
what else can i do?
Split the roles entirely (separate authoritative and recursive servers), or change the DNS platform (BIND will run on Windows, even if it's a touch less optimal).
Chris
Chris
also mentioned in CERT TA ...
To approximate the functionality of the BIND access control lists in Microsoft’s DNS Server, a different caching-only name server should be set up internally to provide recursive resolution. A firewall rule should be created to block incoming access to the caching-only server from outside the organization’s network. The authoritative name server functionality would then need to be hosted on a separate server, but configured to disable recursion as previously described.
To approximate the functionality of the BIND access control lists in Microsoft’s DNS Server, a different caching-only name server should be set up internally to provide recursive resolution. A firewall rule should be created to block incoming access to the caching-only server from outside the organization’s network. The authoritative name server functionality would then need to be hosted on a separate server, but configured to disable recursion as previously described.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It's a very high maintenance method of managing your server. You really should consider a better long term alternative to this.
Chris
Chris
ASKER
Im agree with you
As in all blacklisting, it can be a catch up game just like implementing blackholing with known dnsbl. There is provider (such as f5 network) using dns firewall type to offload and possibly whitelisting dns into backend dns server.
Sidenote some suggest that it is best to have dnssec but this is also going to be major interoperability checks from requestor and provider. And dnssec itself can be another ddos amplification factor if it is not implemented with safeguard since the payload is larger.
http://technet.microsoft.com/en-us/security/hh972393.aspx
Sidenote some suggest that it is best to have dnssec but this is also going to be major interoperability checks from requestor and provider. And dnssec itself can be another ddos amplification factor if it is not implemented with safeguard since the payload is larger.
http://technet.microsoft.com/en-us/security/hh972393.aspx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
all marked answers help to solve the issue.
ASKER
the suggestions in first link didn't help us.