[148598] in North American Network Operators' Group
Re: DNS Attacks
daemon@ATHENA.MIT.EDU (Ken A)
Thu Jan 19 10:55:23 2012
Date: Thu, 19 Jan 2012 09:54:21 -0600
From: Ken A <ka@pacific.net>
To: nanog@nanog.org
In-Reply-To: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/18/2012 1:45 AM, Leigh Porter wrote:
>
>
> On 18 Jan 2012, at 05:06, "toor"<lists@1337.mx> wrote:
>
>> Hi list,
>>
>> I am wondering if anyone else has seen a large amount of DNS
>> queries coming from various IP ranges in China. I have been trying
>> to find a pattern in the attacks but so far I have come up blank. I
>> am completly guessing these are possibly DNS amplification attacks
>> but I am not sure. Usually what I see is this:
>>
>
> At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).
>
> It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS,
> a web server and an open SSH port.
>
We are seeing this too, though we don't have the kind of exposure some
of the larger providers do. fwiw.. If for some reason, you can't use a
dedicated box for DNS and/or a simple acl to protect services on a box,
you can turn off connection tracking in iptables per-port using the
NOTRACK target.
iptables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK
iptables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NOTRACKTARGET
Ken
--
Ken Anderson
