LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-05-2012, 10:15 AM   #1
mkools
LQ Newbie
 
Registered: Oct 2004
Posts: 15

Rep: Reputation: 0
UDP flood by DNS servers?


Dear Experts,

I hope somebody can provide me some insight in what kind of attack this is. The attacker is using this attack on my servers for 5/6 weeks right now multiple times a day. The attack consumes all my bandwidth (1 gbps) and my servers go down during the attack.

I've started logging and the weird thing is that is seems like DNS servers are attacking me, just right now I had another attack which made my system unreachable and this was in the logfile (this is part of it the log was huge with all the same entries):

Code:
Nov  5 16:08:52 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=41555 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:08:52 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=41556 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:08:52 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=41557 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:08:52 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=41558 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:08:52 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=41559 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:10 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=63260 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:10 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=63261 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:10 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=63262 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:10 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=63263 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:10 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=63264 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:36 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=20128 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:36 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=20129 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:36 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=20130 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:36 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=20131 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:36 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=20132 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:47 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=32077 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:47 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=32078 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:47 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=32079 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:47 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=32080 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:09:47 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=32081 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:10:10 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=59315 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:10:10 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=59316 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:10:10 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=59317 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:10:10 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=59318 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:10:10 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=59319 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:10:30 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=15898 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:10:30 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=15899 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:10:30 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=15900 PROTO=UDP SPT=53 DPT=22616 LEN=1390 
Nov  5 16:10:30 ams01 kernel: UDP-FLOOD: IN=eth1 OUT= MAC=00:25:90:51:68:f4:74:8e:f8:71:30:00:08:00 SRC=198.41.0.4 DST=MyIPaddress LEN=1410 TOS=0x00 PREC=0x00 TTL=241 ID=15901 PROTO=UDP SPT=53 DPT=22616 LEN=1390
198.41.0.4 seems to be a root DNS server. Any idea why that server is attacking me, or at least it seems like it's attacking me?

Thanks!

Last edited by mkools; 11-05-2012 at 10:17 AM.
 
Old 11-05-2012, 12:26 PM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,860
Blog Entries: 36

Rep: Reputation: 458Reputation: 458Reputation: 458Reputation: 458Reputation: 458
Have you tried contacting Verisign? Call or email Verisign Managed DNS and open a case with them. They value being a trustworthy network so they won't take attacks coming from their own network lightly.

SAM
 
Old 11-05-2012, 12:40 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Besides that capturing a few full packets with tcpdump with -s0 and all resolution switches off would provide a more interesting read than any n gazillion of identical syslog lines can.
 
Old 11-05-2012, 01:35 PM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Since they are all coming from the same root DNS server, my guess would be that you are a victim of a DNS amplification attack. What happens is that a large number of DNS queries are made, usually using spoofed addresses, of a DNS server which then responds to the apparent source address with the requested information. Notice in your logs that the response length is 1410, which is a sizable chunk of information. Also notice that the destination port is always the same. To me this suggests a program script generating the traffic as opposed to a normal process. This type of attack is insidious because a relatively small amount of source traffic can cause a massive flood of response data which can easily clog a normal server and network feed. This (yes, it is Microsoft) article appears to have a pretty detailed description of the problem. You may be able to implement a firewall rule to limit the effects of this traffic, however, it really needs to be addressed at a higher level to truly solve the problem.
 
Old 11-05-2012, 05:10 PM   #5
mkools
LQ Newbie
 
Registered: Oct 2004
Posts: 15

Original Poster
Rep: Reputation: 0
Thanks guys for the info. My fellow admin did a tcpdump when another attack was going on and this is what came out:

Code:
22:48:46.618640 IP ns1.numericable.net.domain > 213.247.x.x.49027: 1660 21/0/1 SOA, RRSIG, NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., RRSIG, DNSKEY, DNSKEY, RRSIG, NSEC, RRSIG[|domain]
Code:
22:48:46.618661 IP dnsr1.sbcglobal.net.domain > 213.247.x.x.14058: 1660 19/0/1 RRSIG, DNSKEY, DNSKEY, RRSIG, SOA, RRSIG, NS g.root-servers.net., NS d.root-servers.net., NS k.root-servers.net., NS a.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS m.root-servers.net., NS c.root-servers.net., NS j.root-servers.net., NS f.root-servers.net., NS e.root-servers.net., NS b.root-servers.net., NS l.root-servers.net. (1320)
These are the top two DNS servers that generate the most traffic to my server when the DDoS is going on. First one is a DNS server for an Internet provider in France, second one is a DNS server owned by AT&T. When I googled for the latter I found this site: http://www.ipillion.com/ip/68.94.156.1 where that IP gets a whole lot of complains from other people. I sent abuse reports to both companies although I doubt they're gonna do anything about it.

Both DNS servers are open to queries btw which, from what I can read in the technet & other articles I found, is a requirement to do a amplification attack. It has to be an open DNS server and it has to allow unlimited queries to be made.

A fix is mentioned in this article: http://www.watchguard.com/infocenter...rial/41649.asp

They say a possible solution is to drop DNS response messages that are too large, over 512 bytes or maybe even block the entire DNS server that the attacker is using for the attack. Of course this has to be done at a higher level and only my host provider can do this and since I'm not Visa or EBay I doubt if they will do that. I can't afford a $20K firewall to stop this stuff from happening.

Problem is though, I don't know who the attacker is, why he's attacking me but he started with gameserver reflection attacks, using a bug in Quake 3 server engines which worked about the same way as the DNS reflection attacks, however most server admins started patching or shutting down their servers because of the abuse and now he's using open DNS servers as a new method to bring me down, that only says to me he's not kidding and he's not gonna stop anytime soon. If I can successively block this attack, he will probably find a new way again to cause havoc, and I don't feel like playing cat & mouse all the time.

I have two US servers as well with Sharktech and they are doing a great job filtering out these attacks. He tried to attack these servers as well, I noticed something like 800 mbps of traffic coming in but in a matter of seconds that was reduced to a mere 1 - 2 mbps at which he gave up and focused on my EU servers again where traffic went probably far above 1 gbps as both servers in my rack went completely dead during the attack.
 
Old 11-06-2012, 09:52 PM   #6
tquang
Member
 
Registered: Jul 2010
Posts: 44

Rep: Reputation: 0
With spoofing IP address for attacking, please capture all packages by tcpdump and research it. I believe it has speacial signature to identify
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mitigate UDP flood m4rtin Linux - Networking 3 10-17-2012 07:19 AM
How i can protect from udp flood boyan96 Linux - Networking 1 11-16-2011 06:09 PM
Windows UDP Flood? hoodez Linux - Networking 4 08-17-2010 08:17 PM
Flood of UDP 59002 from various IP's gadgetx23 Linux - Security 12 02-13-2010 07:58 AM
udp flood behind router darthaxul Linux - Software 3 08-17-2008 10:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration