LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 03-30-2013, 07:44 AM   #1
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,075

Rep: Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777
US-CERT Alert TA13-088A: DNS Amplification Attacks


Quote:
National Cyber Awareness System
TA13-088A: DNS Amplification Attacks


Original release date: March 29, 2013

Systems Affected

* Domain Name System (DNS) servers

Overview

A Domain Name Server (DNS) Amplification attack is a popular form of
Distributed Denial of Service (DDoS) that relies on the use of
publically accessible open recursive DNS servers to overwhelm a victim
system with DNS response traffic.
The notice is an advisory explaining DDoS attacks and what you can do to detect and mitigate such. It's well worth your time to read through the notice and, maybe, apply a tweak or two to your DNS server configuration.

The entire notice is available at http://www.us-cert.gov/ncas/alerts/TA13-088A.

Hope this helps some.
 
Old 03-30-2013, 08:05 AM   #2
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,457

Rep: Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886
Quote:
In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
allow-query { corpnets; };
allow-recursion { corpnets; };
};
FYI, these are listed as basic security options in the DNS-HOWTO (written in 2001).

I'm amazed that 25 millions of 27 millions dns servers tested are vulnerable to this kind of attack today.

Last edited by ponce; 03-30-2013 at 08:06 AM.
 
Old 03-30-2013, 08:51 AM   #3
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,075

Original Poster
Rep: Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777
Yup, never ceases to amaze me too -- particularly when it's me that didn't RTFM.

I suppose that reminders every of often are not a bad thing, eh?
 
Old 03-30-2013, 09:03 AM   #4
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,457

Rep: Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886
eh, I personally think the percentage of vulnerable servers will drop of just 1% after this event (I'm an optimist).
 
Old 03-30-2013, 09:29 AM   #5
jtsn
Member
 
Registered: Sep 2011
Location: Europe
Distribution: Slackware
Posts: 806

Rep: Reputation: 362Reputation: 362Reputation: 362Reputation: 362
BTW: The main source of the problem are mis-configured ISPs, which don't filter customer traffic originating from forged IP addresses.

Affected are not only DNS servers, but any public accessible protocol which uses UDP. If HTTP would use UDP instead of TCP, all Webservers of the world would be "vulnerable" to this and there would be nothing, that you can do about it (without locking legitimate visitors out from your website).
 
Old 03-30-2013, 09:48 AM   #6
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,075

Original Poster
Rep: Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777
That's pretty much what the notice talks about (and how to fix it).
 
Old 03-30-2013, 11:46 AM   #7
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,457

Rep: Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886
Interesting article on the matter

http://www.theregister.co.uk/2013/03..._the_internet/
 
Old 03-30-2013, 11:58 AM   #8
yenn
Member
 
Registered: Jan 2011
Location: Czech Republic
Distribution: Slackware, Gentoo
Posts: 155

Rep: Reputation: 21
I'm quite confused right now. My DNS servers are running Bind 9.9.2 (latest Slackware package) and with or without these directives doesn't act as open resolvers. And at same time they recursively resolve for local network.
Quote:
In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
allow-query { corpnets; };
allow-recursion { corpnets; };
};
Are there some safe default settings in latest Bind releases or how is that possible?
 
Old 03-30-2013, 12:23 PM   #9
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,457

Rep: Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886
it's explained in the article above: since bind-9.4.1-P1 recursion is disabled by default.

but there are many old dns servers out there, and people tend not to update them fearing to break things.

Last edited by ponce; 03-30-2013 at 12:25 PM.
 
Old 04-01-2013, 02:10 PM   #10
yenn
Member
 
Registered: Jan 2011
Location: Czech Republic
Distribution: Slackware, Gentoo
Posts: 155

Rep: Reputation: 21
Thanks for the link. Every time I visit LQ I learn something new
 
Old 04-02-2013, 06:47 AM   #11
chrisretusn
Member
 
Registered: Dec 2005
Location: Philippines
Distribution: Slackware
Posts: 484

Rep: Reputation: Disabled
Well of course I read the article, my DNS server is fine, because I before setting it up.
 
Old 08-16-2013, 11:20 AM   #12
meltonkt
LQ Newbie
 
Registered: Aug 2013
Location: National Capitol Region, United States
Distribution: Gentoo, Ubuntu, Red Hat Enterprise
Posts: 1

Rep: Reputation: Disabled
Just an FYI, I updated the document recently to clarify some of the wording and included some additional mitigation techniques. Based on community feedback, it was a little vague on whether it applied only to recursive resolvers. I appreciate any feedback.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] US-CERT Alert TA13-088A: DNS Amplification Attacks tronayne Linux - Security 0 03-31-2013 03:45 PM
US-CERT Alert TA13-051A - Oracle Java Multiple Vulnerabilities tronayne Linux - News 1 02-21-2013 09:00 AM
US-CERT Alert TA13-032A - Oracle Java 7 Multiple Vulnerabilities tronayne Linux - News 8 02-12-2013 08:02 AM
US-CERT Alert TA13-032A - Oracle Java 7 Multiple Vulnerabilities tronayne Slackware 0 02-03-2013 04:44 PM


All times are GMT -5. The time now is 05:14 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration