DNS Incoming Bandwidth Blocked by Windows Firewall yet is still being allowed in?

[xbamaris]

Today has been an interesting day for my server.

 

It is a server that's located in a data center that is used for my gaming community and other unrelated items.

 

 

Earlier today the outgoing bandwidth was peaking in 30 second to 2 minute intervals of 500Mbit/s, Immediately opening Wireshark I found it was a DNS Fragmentation Attack (which I have experience with on another server unfortunately).

 

 

On one of the virtual machines, I installed Windows DNS server by mistake and know I removed it, but it for whatever reason didn't complete the removal process and didn't realize till a little after I saw the bandwidth going crazy. For whatever reason by default Microsoft enables recursive queries so it was open to be used maliciously, (though I'm not exactly sure why or how it was noticed so quickly considering it was only left open for a day at the most and was not even being used by my domain as a name server). So fair enough that problem was quickly fixed. 

 

I run 3 other name servers that all have recursive queries turned off (which all seem unaffected by the attack).

 

However, for the past few hours the server has been downloading DNS Standard Queries (noticed from Wireshark) to the IP address that used to run the DNS server.

 

I cannot figure out how it's possible because I have blocked incoming port 53 (which is what the Destination Port is according to Wireshark)

 

It does not appear that any Windows application is sucking the bandwidth and it is only noticeable by Wireshark (it appears on both the main server and the VM because the VM is a Hyper-V VM)

 

 

I've tried everything from changing the DNS server's it is pointing to to completely disabling the DNS Client service and neither seemed to have any effect.

 

 

Is there a deeper level firewall that would allow to block the traffic? Its not an insane amount of incoming bandwidth (seems to be maxing out at 13 Mbit/s and the server is a 1Gbps port)

 

And hopefully it will die down within a few hours or by tomorrow. 

 

 

 

[+BudMan MVC]

"However, for the past few hours the server has been downloading DNS Standard Queries (noticed from Wireshark) to the IP address that used to run the DNS server."

 

I have read this like 5 times - what are you trying to say here.. That you are still seeing inbound traffic via wireshark?  Wireshark would sniff the traffic before your firewall so you would see this traffic be it 53 was listening or not or blocked by firewall, etc..

 

That is what it sounds like to me.  Its noise if your not running dns on this ip - like when you join a p2p swarm, and see queries to your IP be it your no longer running p2p client or not, etc.

 

If they were using you as an attack box, you will see that traffic until they stop trying to use you - but you removing dns, or blocking it prevents your box from actually doing the attack, etc.

 

Or do you mean your box is sending queries?  Can you post a snip of this sniff your seeing?

[xbamaris]

Hello Budman, 

 

Sorry for the late response I never noticed you answered this thread.

 

 

Windows Resource Monitor was not detecting the INCOMING traffic on any service however, I use NetMeter to monitor / track bandwidth usages which was clearly showing 10-12 Mbps INCOMING towards a Hyper-V Virtual machine that used to run a DNS server.

 

Which because it was going through a virtual switch, was traceable with WireShark in both the host machine and virtual machine which were DNS queries that were incoming.

 

 

Whatever was happening has long since subsided. But it was interesting how it would take several minutes after the virtual machine was shut down till the bandwidth then dropped. 

 

It's a tad confusing to explain and by all logic shouldn't have happened.