I am experiencing what I believe is a DNS amplification attack on my bind9 DNS server. I'm seeing very of the following on different IPs 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ [1au] ANY? USADF.GOV. (38) My server responds 20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 Refused- 0/0/1 (38) I imagine the IPs are spoofed. I have installed fail2ban in order to address the problem. Various howtos detail how to configure bind to log to /var/log/named/security.log and setup fail2ban. The security.log is filling nicely with lots of "29-Aug-2018 20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV): query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating "Jail 'named-refused' started" but it never actually bans an IP. 2) I used fail2ban-regex to test the security.log line against fail2bans named-refused regex, but its doesn't match! So I have to conclude either debian bind9 changed the log output or fail2ban git it wrong. I'm using the latest fail2ban from debian. Has anyone else got this to work? -- Michael Galea
Hi, normally, i would not respond to a post like yours :) when people ask your dns server a question, they are not logging into your system. - so fail2ban is not the correct tool the correct answer is any of the below: you need to write a program or a script for example on a small single system - one that checks your logs and then adds an iptables rule to your firewall - larger systems/clusters simply customize bind or maybe rate limit connections (check your named.conf - rate limit) and/or a combination of these things - there are also many other ways to stop this (for example forward write to your routers (if you have routers) etc. hth Andre On Wed, 29 Aug 2018 20:40:16 -0400 Michael Galea via talk <talk@gtalug.org> wrote:
I am experiencing what I believe is a DNS amplification attack on my bind9 DNS server.
I'm seeing very of the following on different IPs 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ [1au] ANY? USADF.GOV. (38)
My server responds 20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 Refused- 0/0/1 (38)
I imagine the IPs are spoofed. I have installed fail2ban in order to address the problem. Various howtos detail how to configure bind to log to /var/log/named/security.log and setup fail2ban.
The security.log is filling nicely with lots of "29-Aug-2018 20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV): query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating "Jail 'named-refused' started" but it never actually bans an IP.
2) I used fail2ban-regex to test the security.log line against fail2bans named-refused regex, but its doesn't match! So I have to conclude either debian bind9 changed the log output or fail2ban git it wrong.
I'm using the latest fail2ban from debian. Has anyone else got this to work?
Michael Galea via talk wrote:
I am experiencing what I believe is a DNS amplification attack on my bind9 DNS server.
I'm seeing very of the following on different IPs 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ [1au] ANY? USADF.GOV. (38)
My server responds 20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 Refused- 0/0/1 (38)
I imagine the IPs are spoofed.
I agree with the diagnosis, but IMHO it might be better to configure your nameserver not to respond at all to such queries, especially as anything you emit at all is likely going to a victim of an attack. Internet-exposed DNS servers should really only respond to queries in domains for which they're authoritive. Recursive servers should be kept private enough to respond only to their local users. Disclaimer: it's been years since I ran nameservers for a midsized ISP and had to be on top of all this. -- Anthony de Boer
On 09/01/18 11:10, Anthony de Boer via talk wrote:
Michael Galea via talk wrote:
I am experiencing what I believe is a DNS amplification attack on my bind9 DNS server.
I'm seeing very of the following on different IPs 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ [1au] ANY? USADF.GOV. (38)
My server responds 20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 Refused- 0/0/1 (38)
I imagine the IPs are spoofed.
I agree with the diagnosis, but IMHO it might be better to configure your nameserver not to respond at all to such queries, especially as anything you emit at all is likely going to a victim of an attack.
Internet-exposed DNS servers should really only respond to queries in domains for which they're authoritive. Recursive servers should be kept private enough to respond only to their local users.
Disclaimer: it's been years since I ran nameservers for a midsized ISP and had to be on top of all this.
I regularly test my email and dns servers, to ensure they are non-forwarding/non-recursive. Someone on the list posted a dns testing link (https://zonemaster.iis.se) recently and I used it to reconfirm I am still non-recursive. My server isn't responding to request for a domain its not authoritative for, its issuing a harmful refusal to an innocent target spoofed by an attacker. Out of interest, after I got fail2ban/shorewall working the way I want, I turned it off and activated rate limiting in bind. There are pros and cons to each. I will say I like the bind solution better because it is simpler and doesn't add software. The fail2ban solution is cleaner in that eliminates all further traffic (until the unban time), and as shorewall drops the attackers packets, there is no confirmation to the attackers or wasteful refusal sent to the attackers target. Bind rate limiting will let a bit of that happen. I have no conclusions yet. After 20 hours of the fail2ban solution being in place, the attackers stop attacking. So bind rate limiting hasn't had a chance to demonstrate itself. Am I missing some other configuration in bind? -- Michael Galea
participants (3)
-
ac -
Anthony de Boer -
Michael Galea