Weird DNS attack


Recommended Posts

I've been asked to take a look at a named DNS server that's being apparently DOSed. It shows indeed quite a lot of random requests from random (likely spoofed) IPs.

 

The queries look like this: rbzdywf.www.xtj123.com, all of them different and between 5 and 15 every second (at least for the time I was actively watching them).

 

The weird thing is: the ammount of traffic those requests generate is only enough to take the DNS down once every few days (on specific peak hours, I guess) so it doesn't make much sense as neither a random or targeted attack.

 

Needless to say, the DNS setup is a bit on the crappy side, configured long ago by someone no longer working there and whose configurations are maintained as they are mostly because no one is really sure about what could break if they were changed  :/ it'll be nuked from orbit and rebuilt sometime soon, but in the meanwhile they need to keep it up and running.

 

First thing I did was disabling recusion (god knows why it wasn't disabled, as it's an authoritative server) and global allow-transfer (which is individually enabled as "any" for several zones, again god knows why).

Tests show that non authoritative queries now return a "rejected" status. Should that be enough to keep this crap running at the very least?

 

And why the hell would anyone maintain such a weak sustained attack against a DNS server? Both IPs and queried addresses are completely random, so it doesn't seem to be part of an attack against other target, and as I said before the traffic isn't high enough to consistently bring the service down (which anyone motivated enough could have easily done, given the utter misconfiguration of named).

Link to comment
Share on other sites

Good on you for disabling recursion, its possible it was left on by default if it is running under Windows DNS Server and the person who originally set it up may have had no idea what recursion was... 

 

 

Is the DNS server used on a local network or is it a remote dedicated DNS server?

 

 

The fact that it's going down still isn't a good thing... but hopefully you have a backup DNS server?

 

 

Truthfully, if you have a backup DNS server I would just disable that DNS server for a day or so and see if the traffic continues?

 

 

Have you used packet sniffing programs to monitor the queries?

Link to comment
Share on other sites

Its most likely not you they are attacking but using it as amplification.. What are the specific queries A, NS, SOA, etc..

 

So if you had recursion on, you get asked for something so you go ask for it, etc.

 

What nameserver you running?  I would turn on rate limiting as well.

Link to comment
Share on other sites

Good on you for disabling recursion, its possible it was left on by default if it is running under Windows DNS Server and the person who originally set it up may have had no idea what recursion was... 

 

 

Is the DNS server used on a local network or is it a remote dedicated DNS server?

 

 

The fact that it's going down still isn't a good thing... but hopefully you have a backup DNS server?

 

 

Truthfully, if you have a backup DNS server I would just disable that DNS server for a day or so and see if the traffic continues?

 

 

Have you used packet sniffing programs to monitor the queries?

 

It's a named/bind DNS server on a SUSE 10 server (!!!!) that must be more outdated than bell-bottoms (I didn't even dare checking  :wacko: ) and no backup servers. A mess, I tell you.

 

The server is (as far as I can tell, because I was just dropped in there with about 0 information... heck, I don't even know the network topology or where exactly that server is sitting) serving both LAN and WAN, all in one single named.conf (what a wonderfull idea, right?). And no, there are no backup DNS servers  :laugh:

 

Sniffing doesn't tell much. The "attacking" queries come through the WAN facing interface and they are UDP, so there's no easy way to be 100% sure about them being spoofed but logic tells there's no way they aren't.

 

Its most likely not you they are attacking but using it as amplification.. What are the specific queries A, NS, SOA, etc..

 

So if you had recursion on, you get asked for something so you go ask for it, etc.

 

What nameserver you running?  I would turn on rate limiting as well.

 

Queries are A.

 

The nameserver is bind 9.3.4.

The problem with rate limits (which wouldn't be a bad idea anyway) is that as far as I understand are applied on a per source basis, yet query logs here are showing completely different source IPs for every query.

Link to comment
Share on other sites

I don't think 9.3.4 supports rate limits even, unless it was back ported?  9.5.5 is current - I would update it, and sounds like you have some clean up to be sure.. Sounds like a fun project actually!

 

So only 1 DNS?  At this location, for for the domain(s) total?  There is a guy on pfsense forums having some issues with dns - and he is pointing his public domain to just 1 IP - I am flabbergasted that his registrar even allows that, everyone I have used requires 2 diferent IPs.. Even if they point to the same box - you still can not put in the same IP for both nameservers.

Link to comment
Share on other sites

I don't think 9.3.4 supports rate limits even, unless it was back ported?  9.5.5 is current - I would update it, and sounds like you have some clean up to be sure.. Sounds like a fun project actually!

 

So only 1 DNS?  At this location, for for the domain(s) total?  There is a guy on pfsense forums having some issues with dns - and he is pointing his public domain to just 1 IP - I am flabbergasted that his registrar even allows that, everyone I have used requires 2 diferent IPs.. Even if they point to the same box - you still can not put in the same IP for both nameservers.

 

You are right, rate limits are not supported.

 

So far I only know that they currently have one single DNS running... at least with an authoritative role for those zones. I think there's another unrelated non-authoritative DNS for the local network, which is strange because this one was also accessible from the local network and was resolving non-authoritative queries.

 

Patching this could indeed be fun but what I'd actually love to do if I get a green light is nuking all this from orbit and retooling the network.

Also they were trying (for months) to block the attack manually adding rules to the firewall... they must have a freaking huge table there by now.

Link to comment
Share on other sites

I would take the nuke from orbit approach as well - clean setup where possible is always better.  Hard to do that to the whole setup at once without serious down time though.

 

As to 1 dns - simple enough to check with simple whois to see what nameservers are registered.  It might be there is only 1 online, but I don't know of a registrar that will allow you to only setup 1 dns..  Any public domain needs min 2 nameservers - now people skirt the system pointing to same box different IPs, etc.  But you need to enter 2.

Link to comment
Share on other sites

Well. more strange stuff piling up  :laugh:

 

Apparently something went wrong with the DNS server late yesterday and wasn't fixed until this morning. Surprise: now the zones aren't propagated to other DNS servers (not a single one in whatsmydns) and trying a nslookup on any of those online nslookup services fails with a timeout (;; connection timed out; no servers could be reached).

 

So ok, I thought, maybe the DNS server is not actually running or there's something going wrong with the firewall. I tried to nslookup from two computers on two different networks and to my surprise it worked: not only do I get the authoritative anwers but the query shows up in the server's querylog.

 

WTF?

 

 

BTW, yeah, it turns out there's a secondary slave DNS server (with exactly the same mix of success/failure I described above about the master one).

Link to comment
Share on other sites

What domain(s) are you having issues with - if you PM some to me be happy to tell you what I think from a public side view.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.