Some thoughts on DNS Amplification attacks as mentioned here for example:
http://dnsamplificationattacks.blogspot.de/2014/02/authoritative-name-server-attack.html
On several DNS servers I am responsible for, I have to deal with the exact same problem. Sadly I cannot just lock recursive clients out, as the server is used as primary DNS for customers. Limiting to an ACL does not help either, as the requests are coming from the allowed clients 🙁 Possible a lot of them are infected by malware. Using the rate limit feature of BIND is not helping here, because the queries are distributed across a lot of infected clients and this will not trigger the rate limits.
If you have a problem like this, you can see your DNS server opening a lot (hundreds, sometimes thousands) of connections to the victim DNS and flooding it with bogus A queries for random subdomains.
Using tcpdump this might look like this:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:26:08.502331 IP XXX.XXX.XXX.XXX.53961 > 114.114.116.135.53: 16075 A? ctefwvwherwd.gosky.chinacache.net. (51)
11:26:08.511161 IP XXX.XXX.XXX.XXX.48204 > 114.114.116.135.53: 59982 A? sfepcrmdwnczgp.gosky.chinacache.net. (53)
11:26:16.504011 IP XXX.XXX.XXX.XXX.64001 > 114.114.116.135.53: 16440 A? ctefwvwherwd.gosky.chinacache.net. (51)
11:26:16.513425 IP XXX.XXX.XXX.XXX.53530 > 114.114.116.135.53: 38553 A? sfepcrmdwnczgp.gosky.chinacache.net. (53)
How can you prevent this attack or soften it as much as possible? Good question, most people seem to manually search for the domain (in this example chinacache.net) and block it using the string-match feature in iptables.
I wrote a little script, that does the same thing, but can be run via CRON and blocks those queries automatically.
What does the script do?
1. It checks if there is an abnormally high number of open connections on port 53 to an IP adress (default: 50)
2. It then uses tcpdump to sample some (default: 10) packets of A? queries to that IP. If the number of queried domains exceeds a threshold (default: 10) of same domains+tld, it adds this domain+tld to a blacklist file (default: /etc/domain_blacklist)
3. It reads all entries of the blacklist file and converts the domain+tld to hex values and prepares and executes an iptables rule to block any queries for that domain
What you need?
iptables, tcpdump, xxd, awk
The script was hacked quite quick and dirty, so you definetly can simplify some things or solve them much better. But this works for me at this time and I hope some of you will find use for it.
As usual, this comes without any warrany of any kind 🙂 Use at own risk!
If you have own iptables rules in usage, you might want to modify the script to not flush iptables every time it runs.
You could also remove the echo debug outputs or direct outputs to /dev/null (if using cron).
Download: dns.sh.gz
SEE UPDATED VERSION BELOW.
edit:
There are several Bugs in the script.
-threshold not correctly implemented
-what if in the 10 captured packets contain more than 1 different domain?
-maybe more 😀
edit:
The script has been running for about 20h now and so far it has blacklistet several domains from being queried:
chinacache.net
n876.com
9aq.com
bcai007.com
bddns.cn
ve60.com
google176.com
xp88888.com
sf120.com
765uc.com
sf120.com
Update 4.11.2014:
I changed the script a little.
-It is now possible to have domains whitelisted
-You can now choose to block the target(domain) or the source (IP) of the attack
So far everything works quite good for me.
Download updated version: dns.sh_1.gz
Kommentare