Tag Archives: dns amplification attack

Protect your server from DDoS attacks – Part 2 !!

We have been talking about DDoS attacks directed at the web-server all this
while  ( http://letushare.com/protect-your-server-from-ddos-attacks )

Another headache would be when these attacks are directed at our DNS services,
which is often called as DNS Amplification Attacks.

In Simple words, the attack can be explained as follows :

Someone makes an enquiry to you, on how to reach a particular destination. You are not actually sure of the location either, so you ask your friends nearer to you, and if you don’t get an answer from them, you are determined to somehow get an answer and you start inquiring
further until you get one. ( Basically you do not know this ‘someone’ who requested your help)

And this ‘someone’ has not stopped there. He has asked this same question to
lots many other people whom like you are determined to get an answer. He would
conclude by saying, if you get an answer, please ring me to 111 – a fake number of
some unknown poor guy.

Similarly, an attacker spoofs IP addresses ( he might spoof it to an IP to which
he would like to carry a DDoS attack – called as the target – like the fake 111 number ) and sends a request to your DNS server asking to resolve a domain. Your DNS server would not have any details about it in your local db’s. So it goes around the internet trying to resolve the domain and as a result the request-queries and the reply-queries increase beyond a limit as the attacker sends more and more request queries.

Now, remember your server might be 1 in 10000 out of which the attacker would direct the reply’s to a target. ( If source IP of the DNS query was spoofed to that of the target’s IP )

So basically, this sort of DDoS attacks, not only affects the ‘target’ but also all the
DNS server’s participating in this attack, as they are flooded with queries ( request and reply )

Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. In most attacks of this type, the spoofed queries sent by the attacker are of the type, “ANY,” which returns all known information about a DNS zone in a single request. Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic being generated by these DNS services and in the end- the amount of traffic directed at the target would be huge.

So, how can we prevent this from happening ?

Going back to our previous illustration, when that ‘someone’ asked you for a help,
its you who sought to find an answer. You could have said :

“Im sorry, I dont know the route to that destination. Neither do i know you, so i cant spend
my time/energy in assisting you.

This is where you can make your DNS server a closed resolver.

More on this is found at the page, http://letushare.com/169/

And suppose, consider this, your DNS server is closed, still it would receive the
queries from the attacker and your server would have to reply to those DNS queries. Just that
it is not a part of the attack. These replies too might hinder your services if too
much requests are being directed to your server.

Here you can use iptables to set a rate-limit on the queries reaching your DNS port.

First make sure the recent module is loaded in the server
This module is needed to get this particular aspect of iptables working.

First rule is set to move all the packets received in port 53 to a new chain


# iptables -N block ( create a new chain )
# iptables -A INPUT -p udp --dport 53 -j block

Then,

# iptables -A block -m recent --set --name DNSQF --rsource ( creating a db DNSQF to capture the packets )

# iptables -A block -m recent --update --seconds 5 --hitcount 15 --name DNSQF

--rsource -j DROP ( set the rule for the db DNSQF which stores recent IPs )

The above rule implies to drop every packets after the 15th one, in a time-frame of 5 seconds.

Availing these rules in iptables, can in way help to reduce the traffic in your server,
when DNS queries are made to your server, even when it is a closed resolver.

Open resolvers !!

Open resolver ??

Before getting to know what is an open resolver, you need to know what
is recursion, ie recursive queries !

Suppose you have a DNS server configured and a local machine which uses
your DNS server queries for a website. Imagine this query is a new one 
and its not in the local cache of the machine which made the request.
Once this request reaches your DNS server, it will attempt to find the
website in question in its local cache. If it cannot find an answer it
will query other DNS servers on your behalf until it finds the address.
It will then respond to the original request with the results from each
server’s query.

This scenario is fine, because the local machine which made the initial
request is trusted by you.

What if another machine which isn’t trusted by you, queries your DNS server
for the same ? Then your DNS is an Open resolver.

An open DNS resolver is a name server that provides a recursive name resolution
for non local clients or users. Basically it’s a name server that provides recursive
replies for every system on the internet. Local users or “authorized” clients are
users on networks that you control and/or that you trust. Recursive replies are
the result of following the chain of delegations found in DNS, ending up at the
domain name that was requested by the original user.

Open DNS resolvers are frequently being abused to conduct efficient DDoS attacks towards
websites, infrastructure and services. In a DNS amplification DDoS attack, the attacker
sends a DNS name lookup request to an open DNS resolver with the source address
spoofed to be the victim’s address.

When the DNS server sends the DNS record response, it is sent
to the victim (the source address that was used in the spoofed request). Because the size
of the response is typically considerably larger than the request, the attacker is able to
amplify the volume of traffic directed at the victim. Dont think it would affect just the
victim. Essentially this means that your equipment is taking part in a botnet leveraging
a DDoS attack towards other systems, potentially causing disruption of services and harm.

If your systems take part in such a DDoS attack then your own network, server and services
infrastructure too can easily become congested.

To get around this issue, configure your DNS server to either disable recursion or
allow recursion from trusted set of IPs.

recursion can be disabled by adding the following line to your /etc/named.conf file :

options {

recursion no;

};

You can allow recursion from a trusted set of IPs by giving the following

options {

allow-recursion { 127.0.0.1; IP1; IP2; }; //include your server IPs and
your provider’s nameserver IPs and whichever IPs you feel can be trusted
.
};

Suppose you have a DNS server and you have configured your named as

allow-recursion { IP1;IP2; } ;

Try the following from the machine with IP1,

#nslookup google.com x.x.x.x ( x.x.x.x is the DNS server IP )

The result would be :

———–

(root) nameserver = J.ROOT-SERVERS.NET
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
(root) nameserver = I.ROOT-SERVERS.NET

…..

———–

Suppose you made the same query from an IP which is not
defined in allow-recursion, then you get the following

———-

Server: x.x.x.x
Address: x.x.x.x#53

** server can’t find google.com: REFUSED

———-

So, consider about tweaking your DNS server, if its an Open resolver !