HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Tips/Tricks/Mods (http://www.howtoforge.com/forums/forumdisplay.php?f=29)
-   -   DoS Attack Against Bind (http://www.howtoforge.com/forums/showthread.php?t=61573)

supanatral 23rd April 2013 03:49

DoS Attack Against Bind
 
First and foremost, my ISPConfig server was setup exactly as shown in this tutorial: Perfect Server

For the past 36 hours, my ISPConfig server has been up and down like a basketball for no apparent reason. The server never restarted, no services failed, no logs that stood out to me, etc, etc.

After looking at our firewall, I found that there was a continuous 5mbps upload for DNS traffic alone!!

Many hours later, I found out that my DNS server had the "recursion" option enabled which allowed anyone in the world to use my DNS server to lookup any website it pleased rather then only responding to the DNS zones that I personally host.

After I disabled recursion, I found that the "/var/log/messages" log file being inundated with lines that show the following:
Quote:

22-Apr-2013 21:32:05.973 client 46.165.208.202#1: query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:05.974 client 46.165.208.202#53: query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:05.974 client 46.165.208.202#1: query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:05.974 client 46.165.208.202#1: query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:12.731 client 198.50.169.10#25345: query (cache) 'isc.org/ANY/IN' denied
22-Apr-2013 21:32:13.595 client 198.50.169.10#16016: query (cache) 'isc.org/ANY/IN' denied
22-Apr-2013 21:32:14.565 client 198.50.169.10#25345: query (cache) 'isc.org/ANY/IN' denied
I realized very quickly that I was receiving anywhere between 100-750 DNS queries every second!! After much more research, I finally configured the application fail2ban to watch my DNS logs and ban any IP address after 3 failed DNS queries for a period of 5 minutes.

How is how I did it:

Disabling Recursion

First thing I found was that by default, recursion was enable on the bind server. I turned this off by editing the file /etc/named.conf:
Before:
Quote:

recursion yes;
After:
Quote:

recursion no;

Configuring Fail2Ban
Firstly, make the bind log file
Quote:

mkdir /var/log/named
chmod a+w /var/log/named
Next, edit /etc/named.conf and edit the logging options to show the following:
Quote:

logging {
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
};

Restart Bind using:
Quote:

/etc/init.d/named restart
OK, now to set up fail2ban. Edit the /etc/fail2ban/jail.conf file and change from:
Quote:

[named-refused-udp]

enabled = false
To
Quote:

[named-refused-udp]

enabled = true
and from:
Quote:

[named-refused-tcp]

enabled = false
To
Quote:

[named-refused-tcp]

enabled = true
Then restart fail2ban in the usual manner,
Quote:

/etc/init.d/fail2ban restart

Credits:
http://www.debian-administration.org...il2ban_package

SunnyD 30th April 2013 19:34

While it's unlikely as a whole, with such a low threshold (3 failed queries in 5 minutes) especially if you host multiple domains, you could very well be blacklisting legitimate addresses.

Using a higher threshold (20 failed queries in 5 minutes for example) would be more than sufficient to block those that were using your previously open DNS resolver for DoS reflection purposes.

supanatral 5th May 2013 06:11

Good call SunnyD.

The only other thing to be mindful of is whether or not the network firewall can handle the load. Although this significantly decreased the server load by performing the steps above, the DNS connections still needed to pass through the hardware firewall before the connection was passed onto the ISPConfig server and finally rejected by iptables.


All times are GMT +2. The time now is 16:12.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.