#1  
Old 23rd April 2013, 04:49
supanatral supanatral is offline
Member
 
Join Date: Mar 2010
Posts: 38
Thanks: 1
Thanked 4 Times in 4 Posts
Default DoS Attack Against Bind

First and foremost, my ISPConfig server was setup exactly as shown in this tutorial: Perfect Server

For the past 36 hours, my ISPConfig server has been up and down like a basketball for no apparent reason. The server never restarted, no services failed, no logs that stood out to me, etc, etc.

After looking at our firewall, I found that there was a continuous 5mbps upload for DNS traffic alone!!

Many hours later, I found out that my DNS server had the "recursion" option enabled which allowed anyone in the world to use my DNS server to lookup any website it pleased rather then only responding to the DNS zones that I personally host.

After I disabled recursion, I found that the "/var/log/messages" log file being inundated with lines that show the following:
Quote:
22-Apr-2013 21:32:05.973 client 46.165.208.202#1: query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:05.974 client 46.165.208.202#53: query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:05.974 client 46.165.208.202#1: query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:05.974 client 46.165.208.202#1: query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:12.731 client 198.50.169.10#25345: query (cache) 'isc.org/ANY/IN' denied
22-Apr-2013 21:32:13.595 client 198.50.169.10#16016: query (cache) 'isc.org/ANY/IN' denied
22-Apr-2013 21:32:14.565 client 198.50.169.10#25345: query (cache) 'isc.org/ANY/IN' denied
I realized very quickly that I was receiving anywhere between 100-750 DNS queries every second!! After much more research, I finally configured the application fail2ban to watch my DNS logs and ban any IP address after 3 failed DNS queries for a period of 5 minutes.

How is how I did it:

Disabling Recursion

First thing I found was that by default, recursion was enable on the bind server. I turned this off by editing the file /etc/named.conf:
Before:
Quote:
recursion yes;
After:
Quote:
recursion no;

Configuring Fail2Ban
Firstly, make the bind log file
Quote:
mkdir /var/log/named
chmod a+w /var/log/named
Next, edit /etc/named.conf and edit the logging options to show the following:
Quote:
logging {
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
};

Restart Bind using:
Quote:
/etc/init.d/named restart
OK, now to set up fail2ban. Edit the /etc/fail2ban/jail.conf file and change from:
Quote:
[named-refused-udp]

enabled = false
To
Quote:
[named-refused-udp]

enabled = true
and from:
Quote:
[named-refused-tcp]

enabled = false
To
Quote:
[named-refused-tcp]

enabled = true
Then restart fail2ban in the usual manner,
Quote:
/etc/init.d/fail2ban restart

Credits:
http://www.debian-administration.org...il2ban_package

Last edited by supanatral; 23rd April 2013 at 05:07.
Reply With Quote
The Following User Says Thank You to supanatral For This Useful Post:
tahunasky (27th April 2013)
Sponsored Links
  #2  
Old 30th April 2013, 20:34
SunnyD SunnyD is offline
Junior Member
 
Join Date: Mar 2013
Posts: 21
Thanks: 2
Thanked 9 Times in 9 Posts
Default

While it's unlikely as a whole, with such a low threshold (3 failed queries in 5 minutes) especially if you host multiple domains, you could very well be blacklisting legitimate addresses.

Using a higher threshold (20 failed queries in 5 minutes for example) would be more than sufficient to block those that were using your previously open DNS resolver for DoS reflection purposes.
Reply With Quote
The Following User Says Thank You to SunnyD For This Useful Post:
supanatral (5th May 2013)
  #3  
Old 5th May 2013, 07:11
supanatral supanatral is offline
Member
 
Join Date: Mar 2010
Posts: 38
Thanks: 1
Thanked 4 Times in 4 Posts
Default

Good call SunnyD.

The only other thing to be mindful of is whether or not the network firewall can handle the load. Although this significantly decreased the server load by performing the steps above, the DNS connections still needed to pass through the hardware firewall before the connection was passed onto the ISPConfig server and finally rejected by iptables.
Reply With Quote
Reply

Bookmarks

Tags
bind, dos attack, ispconfig, named

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu Hardy chrooted bind9 fails to start Djamu Server Operation 35 21st April 2010 09:28
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 13:20
Problem on restart bind9 satimis Server Operation 6 30th October 2007 03:01
Bind-Chroot-Howto (Debian) spaz HOWTO-Related Questions 5 9th March 2006 15:50
Isp Says Dos Attack Being Conducted ZebraCobra Server Operation 3 20th December 2005 17:18


All times are GMT +2. The time now is 05:45.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.