Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Today's DDoS

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Today's DDoS


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Sabolowitsch <Stefan.Sabolowitsch AT felten-group.com>
  • To: "<discuss AT lists.opennicproject.org>" <discuss AT lists.opennicproject.org>
  • Subject: Re: [opennic-discuss] Today's DDoS
  • Date: Thu, 28 Mar 2013 16:17:33 +0000
  • Accept-language: de-DE, en-US
  • Domainkey-signature: a=rsa-sha1; s=feltengroup_com; d=felten-group.com; c=simple; q=dns; h=from:message-id; b=VuGqLrqjTsbZO8nMzxe/p/zA9eD+ngiDjYV3Om81w2xD+vzj5PHwuoctSvRK jV2E0Em73+TM2s4IvgICzgNuaO0phFBmiKWUVtGZsp5cqnNCuNgPzBRnD NTIRQwW7F4Mccrp7s/I709r/fMKdNaugxk+G0UCuKxglfbQ4hSWDnk=;
  • Vbr-info: md=felten-group.com; mc=all; mv=vbr.emailcertification.org;
Hi Guillaume,
sure no problem. I reported last year in this list "dns-operations AT lists.opennicproject.org".

-#-#-#-#-
Hi all,
We all fight against dDOS, DOS to our DNS Server

short small example:
2-Nov-2012 07:45:58.339 client 184.168.72.113#39943 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:45:58.453 client 93.170.127.96#46196 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:45:58.661 client 93.170.127.96#14231 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:00.065 client 184.168.72.113#12578 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:01.696 client 93.170.127.96#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:01.786 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:03.075 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:03.509 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

I found this nice patch from dns / dnssec Expert Lutz Donnerhacke here:

An this small Information on this List.
http://permalink.gmane.org/gmane.network.dns.operations/1148


After this patch and with this Parameters in named.conf

       dampening {
                    exempt-clients { 216.87.84.214;128.177.28.254;207.192.71.13;66.244.95.11;202.83.95.229;84.200.228.200;178.63.116.152;75.127.96.89; };
                    report-interval 60 ;
                    score-per-query 1 ;
                    score-first-query 10 ;
                    min-table-size 500 ;
                    max-table-size 1000 ;
                    limit-maximum 32000 ;
                    # limit-enable-dampening min. 0.3 from limit-maximum
                    limit-enable-dampening 16000 ;
                    # limit-disable-dampening min. 0.1 from limit-maximum or limit-enable-dampening
                    limit-disable-dampening 5100 ;
                    limit-irrelevant 150 ;
                    score-qtype-any 100 ;
                    score-duplicates 100 ;
                    IPv4-prefix-length 24 ;
                    IPv6-prefix-length 48 ;
                   };
    
now i found in named.log this new information:

27-Nov-2012 15:56:08.181 client 93.170.127.96#592 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 15956
27-Nov-2012 15:56:08.181 93.170.127.0/24 dampening activated.

In the first Line at end, there is now the score value "15956"
In the second line you can see that this IP address /netblock in "Dampening" has come (limit-enable-dampening 16000).

After a week of testing, i can say it works very well.
I need no local firewall parameters or scripts to protect my test DNS server.

And here you can find all test, information about "DNS Dampening"

http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening
http://lutz.donnerhacke.de/eng/Blog/First-results-from-DNS-Dampening
http://lutz.donnerhacke.de/eng/Blog/Two-weeks-of-DNS-Dampening
http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening-under-the-microscope
http://lutz.donnerhacke.de/eng/Blog/DNS-Amplification-in-the-eyes-of-a-hosting-provider

Perhaps this information is also interesting for other  with DNS servers.

Regards
Stefan 


Am 28.03.2013 um 16:59 schrieb Guillaume Parent <gparent AT gparent.org>:

Hi,

If it works well, can we have a few details about it? I'm starting to have a decent firewall setup but I think all of us would benefit from the info.

Thanks,

On Mar 28, 2013 10:56 AM, "Stefan Sabolowitsch" <Stefan.Sabolowitsch AT felten-group.com> wrote:
Hi Jeff / all
Thank you for your help but i have a good solution with DNS Dampening and a pro active IPS / FW.
Thus, all systems are stable and accessible (i hope so for the future).

regards
Stefan

Am 28.03.2013 um 15:29 schrieb Jeff Taylor <shdwdrgn AT sourpuss.net>:

Have you looked at http://wiki.opennic.glue/Tier2Security ?
If you can post a few examples of what you're getting from tcpdump, we could try to help.  Having several example packets will tell me if the bot hitting you is using a single port, or if there is a pattern in the attack we can use to block them.  Unfortunately the log snippet you posted does not give any useful info.


On 03/28/2013 02:06 AM, Stefan Sabolowitsch wrote:
Hi all, 
I can not say that it is quiet / silent for me.
On all three DNS Servers, i've been constantly DNS attacks for about 4 weeks and this with 1 -2 k requests per second

really small example:
03/28/2013-06:13:39.134900 [Drop] [**] [1:2016016:6] ET CURRENT_EVENTS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 178.32.81.230:47706 -> 192.168.100.160:53

But help me out here DNS Dampening and an pro active IPS System.

regards
Stefan 





Archive powered by MHonArc 2.6.19.

Top of Page