Help in stopping DNS requests (DNS Amplification)
 

I lease a few servers from 1and1. Up until the beginning of last week, everything was functioning normally.

Starting last week one of my servers started receiving a massive increase in DNS traffic. There were between 100-200 requests per second with logs containing similar information to the following lines:
After some research I discovered that during a recent upgrade to Plesk, the DNS recursion settings were changed (by the upgrade script) to Any host! This resulted in my server acting as an open DNS answering all requests. This I changed immediately.
Further investigation identified huge log files and a massive amount of traffic. The traffic all requesting the above information, while spoofing the source ip. Blocking individual addresses required constant monitoring.

In order to reduce the log file size and CPU time, I implemented a set of iptables rules designed to:

1. Limit the number of connections to UDP 53
2. Match the strings; ripe.net and isc.org (discovered using Wireshark)

I have successfully managed to drop all these requests at the firewall and releasing the strain on my servers' I/O and CPU time, however using iptraf and 'iptables -vnL --line-numbers' the traffic is still continuing with the following statistics after 24 hours:

Although my firewall rules are working, I would prefer to find a more permanent method to block/reject. Anybody have any advice?

My server specs:
AuthenticAMD, AMD Phenom(tm) II X6 1055T Processor (6 CPU)
16GB RAM
1TB HDD
100Mbps/sec full duplex
Hardware Firewall
Linux 2.6.32-279.5.1.el6.x86_64 #1 SMP Tue Aug 14 23:54:45 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Plesk 11.0.9 (fully up-to-date)
'iptables' and 'ossec-hids'
8 IP addresses
authoritative name server (12 zones)

Thanks in advance,

Mark

0) I hope you filed a bug report? 1) Changed how (as in allowing now recursion from where exactly: details)?


First of all if you're using ISC BIND for dual reasons, caching name server plus authoritative name server, then you should split those up: providing yourself and your LAN with BIND as caching name server requires it to have recursion set, your publicly accessible authoritative name server does not.

Please read links / advice posted in: http://www.linuxquestions.org/questi...on-4175417284/, http://www.linuxquestions.org/questi...es-4175450008/ and maybe http://www.openlogic.com/wazi/bid/18...-DNS-with-BIND. You may find you have already implemented all of that but it never hurts to ensure you have. After checking / implementing that Netfilter rate limiting is still useful but you should not need IP blocking anymore (if you do use ipset instead) and having Netfilter do string matches is computationally way expensive (use a Snort rule instead). If you have ensured your NS can't be used for amplification attacks anymore you probably want to make BIND log less.

Thanks for the reply.

0) & 1) Bug report? : The Plesk Administrator's Guide explains! Link
I run an authoritative name server for my domains (and my customers). When I query my name server for one of my own domains, I get the right answer. Querying for anything else replies with Query refused. After the upgrade and before I realised it, I was running an open DNS :eek:! My server was obviously found and abused. What annoys me is that they are continuing with the isc and ripe requests, and these are dropped at the firewall.

While I do believe that the rate limiting I added to my firewall is helpful, I am concerned about any performance hit. The string matching is, as you stated; expensive but without this with the rate limiting on, named is using around 10% of 3/4 cores constantly.
Definitely cannot be used for amplification attacks. Would altering the logging change the CPU usage?

Snort looks useful and ipset is exactly what I need. The links you provided are also very good for reference. Thanks

I will update what I do in due course.

FYI; statistics of iptables after 36 hours