DNS-server used in DDOS attack

All questions related to servers
Post Reply
chris
Site Admin
Posts: 194
Joined: Mon Jul 21, 2008 9:52 am

DNS-server used in DDOS attack

Post by chris »

Last week someone come too me with the following problem:
He received a mail from his hosting-provider that is server was used in DNS DDoS-attack.

I find it it important enough to post it here.
The problem was the configuration of his DNS-server (named),
a common problem.
The solution is just a add 2 lines in the configuration.

The post:
I think your host provider is referring to Domain Name Server (DNS) amplification attack.
This does not mean that your server has been hacked.
In short; a Domain Name Server (DNS) amplification attack is a distributed denial of service (DDoS) that uses normal DNS response traffic to overwhelm a victims server.

More information can be found on this site:
http://www.us-cert.gov/ncas/alerts/TA13-088A

your DNS server probably needs too reply on DNS request of your domain or the sub-domains.
like www.yoursite.com, mail.yoursite.com, ...
but not too find the ip-address of yahoo.com, fo example.

The easiest solution is to disable recursion,
so your server will not try too find the ip-address of domains it doesn't know.

Bind9
Add the following to the global options in /var/named/chroot/etc/named.conf

Code: Select all

options {
     allow-query-cache { none; };
     recursion no;
};
Microsoft DNS Server
In the Microsoft DNS console tool:
Right-click the DNS server and click Properties.
Click the Advanced tab.
In Server options, select the “Disable recursion” check box, and then click OK.

There are other options to limit the (mis)use of your DNS-server.
But this one should stop most of it.

you can test your DNS-server with dig:

Code: Select all

dig yoursite.com @ip-of-dns-server
should give you the ip-addres

Code: Select all

dig yahoo.com @ip-of-dns-server
should respond with a denied request.

Code: Select all

 WARNING: recursion requested but not available
chris
Site Admin
Posts: 194
Joined: Mon Jul 21, 2008 9:52 am

Re: DNS-server used in DDOS attack

Post by chris »

The same can happen if you are running a NTP-server (Network Time Protocol).
This service is less common to be set on a web-server then a DNS-server.
But if it is running it can also be (mis-)used to setup a DDoS-attack.

The easiest solution is to upgrade to the latest version (at least 4.2.7p26).
More details can be found in CVE-2013-5211.

If you're running a normal NTP program to set the time on your server and need to know how to configure it to protect your machine, I suggest Team Cymru's excellent page on a [UREL=http://www.team-cymru.org/ReadingRoom/T ... plate.html]Secure NTP Template[/URL]. It shows how to secure an NTP client on Cisco IOS, Juniper JUNOS or using iptables on a Linux system.

For the UNIX/LINUX NTPD-daemon:
/etc/ntpd.conf
Too let act as a simple NTP client and never to allow NTP queries to it except from the loopback address:

Code: Select all

# by default act only as a basic NTP client
restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap
# allow NTP messages from the loopback address, useful for debugging
restrict 127.0.0.1
restrict ::1
# server(s) we time sync to
server 192.0.2.1
server 2001:DB8::1
server time.example.net
You can use iptables (Again if you use it only as a client)

Code: Select all

-A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT
But mostly if you setup at NTP-server you want it to serve your internal network.
You can let the NTPD-server listen on on the internal ip:

Code: Select all

Addresses to listen on
listen on 192.168.1.1
# server(s) we time sync to
server 192.0.2.1
server 2001:DB8::1
server time.example.net
Post Reply