dns recursion/amplification attacks

Message

bunder · Post by **bunder** » Tue Jan 20, 2009 11:44 pm

anyone remember those DNS recursion attacks mentioned a few months ago? my network is being hammered by three servers on ISPrime... at first it was one server, then i blocked it... and then i started getting bombed by two more on a different network owned also by ISPrime.

Jan 18 10:43:08 internal2 named[15414]: client 76.9.16.171#23672: query (cache) './NS/IN' denied

Jan 20 10:57:29 internal2 named[15414]: client 66.230.160.1#26242: query (cache) './NS/IN' denied
Jan 20 10:57:30 internal2 named[15414]: client 66.230.128.15#16886: query (cache) './NS/IN' denied

since i blocked the second group (coincidentally they fall under one cidr range), they have been hammering my firewall with (what i'm assuming is) the same crap they were pelting my DNS server with...

IN=eth2 OUT=eth1 SRC=66.230.160.1 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=48 ID=45945 PROTO=UDP SPT=20735 DPT=53 LEN=25
IN=eth2 OUT=eth1 SRC=66.230.128.15 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=47 ID=39060 PROTO=UDP SPT=20161 DPT=53 LEN=25
IN=eth2 OUT=eth1 SRC=66.230.160.1 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=47 ID=56296 PROTO=UDP SPT=63917 DPT=53 LEN=25
IN=eth2 OUT=eth1 SRC=76.9.16.171 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=50 ID=64518 PROTO=UDP SPT=47812 DPT=53 LEN=25
IN=eth2 OUT=eth1 SRC=66.230.160.1 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=48 ID=63675 PROTO=UDP SPT=17111 DPT=53 LEN=25
IN=eth2 OUT=eth1 SRC=66.230.160.1 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=48 ID=64200 PROTO=UDP SPT=18622 DPT=53 LEN=25
IN=eth2 OUT=eth1 SRC=66.230.128.15 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=47 ID=56195 PROTO=UDP SPT=59044 DPT=53 LEN=25
IN=eth2 OUT=eth1 SRC=66.230.128.15 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=47 ID=29707 PROTO=UDP SPT=23832 DPT=53 LEN=25

i've already emailed their abuse department without reply.

i realize that these exploits might not originate from their networks, that those servers may be mere relaying the packets to my server...

all that said, has anyone else experienced these attacks via this company? anything i can do besides block them?

thanks

bunder · Post by **bunder** » Wed Jan 21, 2009 1:10 am

great... i'm not alone...

http://isc.sans.org/diary.html?storyid=5713

edit: i'm asking my isp to temporarily block these networks upstream.

bunder · Post by **bunder** » Wed Jan 21, 2009 9:02 pm

so i finally get an email back from my ISP...

Hi Chris

Actually those IPs are spoofed as someone, somewhere is performing a DNS Amplification attack ( http://www.securiteam.com/securityrevie ... 00I0W.html ) aimed at ISPrime who holds the IPs you've listed. You can visit the following NANOG thread for further info and official communication from ISPrime abuse dept ( http://www.merit.edu/mail.archives/nanog/msg14429.html )

That said, I've asked our DNS admin to investigate alternate mitigation steps asap. If your organization is running a caching DNS server I recommend you turn off recursion if you have not already done so.

1) DUHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!
2) i did that ages ago (not that my server caches anything, it's authoritative for 3 domains, and recursive for two internal LANs)... that's more than i can say about my ISP's DNS servers... to this date, they are still globally recursive.

scherz0 · Post by **scherz0** » Thu Jan 22, 2009 10:15 am

Seems that the attack is going on at the same rate (one query every 2 seconds on each server), and still directed to the same 3 addresses. Strange thing...

If your organization is running a caching DNS server I recommend you turn off recursion if you have not already done so.

Uh ??? what would be a non recursive caching server

bunder · Post by **bunder** » Thu Jan 22, 2009 3:43 pm

yeah, they are still pounding my firewall too.

bunder · Post by **bunder** » Fri Jan 23, 2009 12:01 pm

how's this for a good morning?

<snip>
Jan 23 06:53:57 internal2 named[9564]: client 63.217.28.226#61334: query (cache) './NS/IN' denied
Jan 23 06:53:58 internal2 named[9564]: client 63.217.28.226#29712: query (cache) './NS/IN' denied
Jan 23 06:53:59 internal2 named[9564]: client 63.217.28.226#56332: query (cache) './NS/IN' denied
Jan 23 06:53:59 internal2 named[9564]: client 63.217.28.226#30636: query (cache) './NS/IN' denied
Jan 23 06:54:00 internal2 named[9564]: client 63.217.28.226#23741: query (cache) './NS/IN' denied
Jan 23 06:54:02 internal2 named[9564]: client 63.217.28.226#11343: query (cache) './NS/IN' denied
Jan 23 06:54:03 internal2 named[9564]: client 63.217.28.226#47417: query (cache) './NS/IN' denied
<snip>

this one is owned by "beyond the network inc", another american company.

scherz0 · Post by **scherz0** » Fri Jan 23, 2009 6:10 pm

Same here, and now almost nothing "from" the first three addresses.

Quite harmless for the dns servers however, so I may stop updating my firewalls and just filter these "NS ." requests out from the dns logs.

bunder · Post by **bunder** » Sat Jan 24, 2009 10:14 am

so now it hits slashdot, and they're talking like this is netsol's problem...

what happened to isprime? they "started" this thing... and what about everyone else's dns servers? chopped liver anyone?

bunder · Post by **bunder** » Sat Jan 24, 2009 8:15 pm

add another one to the list...

Jan 24 14:49:13 internal2 named[9564]: client 206.71.158.30#5092: query (cache) './NS/IN' denied
Jan 24 14:49:13 internal2 named[9564]: client 206.71.158.30#20593: query (cache) './NS/IN' denied
Jan 24 14:49:15 internal2 named[9564]: client 206.71.158.30#14597: query (cache) './NS/IN' denied

i also saw this one this morning too... almost didn't catch it.

Jan 24 15:06:29 internal2 named[9564]: client 66.238.93.161#38858: query (cache) './NS/IN' denied

bunder · Post by **bunder** » Tue Jan 27, 2009 12:50 pm

and 67.192.144.0, some rackspace box.

Jan 27 07:48:26 internal2 named[9564]: client 67.192.144.0#33313: query (cache) './NS/IN' denied

Stolz · Post by **Stolz** » Tue Jan 27, 2009 1:55 pm

bunder wrote:great... i'm not alone...

No, you are not alone. This comes from one of my servers at Spain:

Code: Select all

# grep "view external: query (cache) './NS/IN' denied" /var/log/messages |  wc -l
30000

Code: Select all

# grep "view external: query (cache) './NS/IN' denied" /var/log/messages | cut -d " " -f 7 | sort | uniq | cut -d "#" -f 1 | sort | uniq
204.11.51.59
204.11.51.60
204.11.51.61
208.37.177.61
208.37.177.62
208.78.169.234
208.78.169.235
208.78.169.236
209.123.8.64
63.217.28.226
66.230.160.1
67.192.144.0
76.9.16.171

Right now I'm working in a rule to have these IPs banned using fail2ban.

bunder · Post by **bunder** » Tue Jan 27, 2009 2:52 pm

got another one...

64.57.246.146 - 4t networks

bunder · Post by **bunder** » Wed Jan 28, 2009 12:11 pm

70.86.80.98 - theplanet

bunder · Post by **bunder** » Thu Jan 29, 2009 11:43 am

goooooooooood morning.

72.249.127.168 - networld internet services
72.20.3.82 - staminus communications
69.64.87.156 - abacus international

bunder · Post by **bunder** » Fri Jan 30, 2009 10:49 pm

208.76.253.253 - something called "Scam Fraud Alert", a "Colocation America Corp." box.

bunder · Post by **bunder** » Sat Jan 31, 2009 1:43 pm

i really hope this doesn't become a daily occurrence.

65.23.129.220 - datarealm internet services
64.27.1.194 - hollywood interactive inc

bunder · Post by **bunder** » Wed Feb 04, 2009 4:58 pm

my first non-american host...

89.149.221.182 - netdirekt (some german hosting provider)

bunder · Post by **bunder** » Wed Feb 11, 2009 1:18 am

almost when i thought this was over with, we get another one.

195.68.176.4 - orlan telecom russia

bunder · Post by **bunder** » Tue Mar 17, 2009 11:33 pm

oy vey.

59.151.50.247 + 59.151.50.248 - abitcool china
63.245.209.126 + 63.245.213.124 - mozilla?

bunder · Post by **bunder** » Tue Jul 07, 2009 3:53 am

after many months, they have returned.

64.92.236.215, 144.198.191.14 - macrovision

63.245.209.126, 63.245.213.10, 63.245.213.101, 63.245.213.102, 63.245.213.102, 63.245.213.124 - mozilla (again)

started around 9PM until i caught it just now. all ranges blocked (mozilla temporarily).

bunder · Post by **bunder** » Wed Jul 15, 2009 11:27 am

213.61.92.192 - asus germany

aricart · Post by **aricart** » Wed Jul 15, 2009 4:34 pm

I've never had to play admin on a box that's connected to anything other than my local network. However, I do use snortsam on my workstations. Could something like that help?