DNS Amplification attack?

Wil_Schultz · January 20, 2009, 8:54pm

Anyone else noticing "." requests coming in to your DNS servers?

http://isc.sans.org/diary.html?storyid=5713

I'm seeing them coming from the following addresses in my ns server logs.

69.50.142.110
69.50.142.11
76.9.16.171
66.230.128.15
66.230.160.1

-wil

Raoul_Bhatia_IPAX · January 20, 2009, 10:43pm

hi,

SANS.edu Internet Storm Center - SANS Internet Storm Center

I'm seeing them coming from the following addresses in my ns server logs.

69.50.142.110
69.50.142.11
76.9.16.171
66.230.128.15
66.230.160.1

counting 319149 denied queries for './NS/IN' since 2008-01-01, i see
roughly 96% "coming" from those ips:

   1071 216.240.131.173
   1183 74.86.34.144
   3397 216.201.83.2
   4526 216.201.82.19
  13568 66.230.128.15
  15487 69.50.142.110
  17689 66.230.160.1
  21987 69.50.137.175
  52392 76.9.16.171
  72591 76.9.31.42
113548 69.50.142.11

so "yes"

please also see another thread titled "isprime DOS in progress".

cheers,
raoul

David_W_Hankins · January 20, 2009, 11:31pm

I was surprised to see 'amplification' in the subject line here, since
on my nameservers my replies are of equal length to the queries. A
little bit of asking around, and I see that it is an amplification
attack, preying on old software.

Let me sum up;

If you're running 9.4 or later, you will reply to these packets with
45 octet RCODE:Refused replies. 1:1. 9.4 has an "allow-query-cache"
directive that defaults to track allow-recursion, which you should
have set appropriately.

If you're running 9.3 or earlier, you will reply to these queries
"out of cache" (the root hints), and those replies can be 300-500
octets I think. 1:6-11.

So in lieu of keeping a new up-to-date list of IP addresses to filter,
as it expands and shrinks, you can greatly reduce your own footprint
in these attacks with a quick upgrade.

Kameron_Gasso1 · January 21, 2009, 2:16am

Wil Schultz wrote:

Anyone else noticing "." requests coming in to your DNS servers?

SANS.edu Internet Storm Center - SANS Internet Storm Center

I'm seeing them coming from the following addresses in my ns server logs.

69.50.142.110
69.50.142.11
76.9.16.171
66.230.128.15
66.230.160.1

We're also seeing a great number of these, but the idiots spoofing the
queries are hitting several non-recursive nameservers we host - and only
generating 59-byte "REFUSED" replies.

Looks like they probably just grabbed a bunch of DNS hosts out of WHOIS
and hoped that they were recursive resolvers.

Christopher_Morrow · January 21, 2009, 2:21am

a point to bear in mind here is that... 'its working' is good enough
for the bad folks no need to optimize when this works. Also, it's
likely this isn't all of the problem the spoofed requestors are seeing
these past few days

-Chris

Kameron_Gasso1 · January 21, 2009, 2:35am

Christopher Morrow wrote:

a point to bear in mind here is that... 'its working' is good enough
for the bad folks no need to optimize when this works. Also, it's
likely this isn't all of the problem the spoofed requestors are seeing
these past few days

Unfortunately, I can't restrict traffic to/from my authoritative
nameservers like I can with my recursive ones, since it will break DNS
resolution for outside visitors to domains we host.

Fortunately, the spoofed queries are 60 bytes and my REFUSED responses
are only 59, so it's a terribly inefficient way to DoS someone.
However, I never said that the DDoS kiddies were smart - doesn't seem to
be stopping them from trying.

Thanks,

Christopher_Morrow · January 21, 2009, 2:47am

bind has a 'blackhole' capabilty... which doesn't seem to reply with
anything (from my quick testing)

-chris

Chris_Adams3 · January 21, 2009, 3:07am

Once upon a time, Kameron Gasso <kgasso-lists@visp.net> said:

Fortunately, the spoofed queries are 60 bytes and my REFUSED responses
are only 59, so it's a terribly inefficient way to DoS someone.
However, I never said that the DDoS kiddies were smart - doesn't seem to
be stopping them from trying.

Well, it still makes a DDoS, since they can (theoretically) have a bunch
of sources spoofing the IPs, and the packets to the targets have
legitimate source addresses (so they can't easily be blocked by the
target).

Stuart_Henderson · January 21, 2009, 11:43am

For you, yes.

In many cases, there's either no amplification or a small decrease
in traffic (though it makes it hard to shut off the true source).

In a few cases (e.g. tinydns), there's no response, so the attackers
traffic is wasted.

But what about the people that happen to have misconfigured their
authoritative DNS servers so that they're answering recursive queries
from the world? 60 -> 520 bytes isn't bad, and I bet it's not _that_
uncommon...

David_Coulthart · January 21, 2009, 1:45pm

After reading this thread, I decided it was prudent to test my authoritative nameservers & was surprised to discover I could retrieve cached records from my nameserver even though I have "recursion no;" in my options stanza in named.conf. Re-reading the ARM, I see that behavior is expected. But is there some reason not to set "allow-recursion { none; };" since I already have recursion disabled?

Thanks,
Dave Coulthart