discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Today's DDoS

From: Guillaume Parent <gparent AT gparent.org>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] Today's DDoS
Date: Thu, 28 Mar 2013 13:04:12 -0400

Thank you very much,

On Mar 28, 2013 12:17 PM, "Stefan Sabolowitsch" <Stefan.Sabolowitsch AT felten-group.com> wrote:

Hi Guillaume,

sure no problem. I reported last year in this list "dns-operations AT lists.opennicproject.org".

-#-#-#-#-
Hi all,

We all fight against dDOS, DOS to our DNS Server

short small example:
2-Nov-2012 07:45:58.339 client 184.168.72.113#39943 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:45:58.453 client 93.170.127.96#46196 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:45:58.661 client 93.170.127.96#14231 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:00.065 client 184.168.72.113#12578 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:01.696 client 93.170.127.96#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:01.786 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:03.075 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:03.509 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
I found this nice patch from dns / dnssec Expert Lutz Donnerhacke here:

http://altlasten.lutz.donnerhacke.de/mitarb/lutz/bind-9.9.2-dampening.patch
An this small Information on this List.

http://permalink.gmane.org/gmane.network.dns.operations/1148

After this patch and with this Parameters in named.conf

dampening {

exempt-clients { 216.87.84.214;128.177.28.254;207.192.71.13;66.244.95.11;202.83.95.229;84.200.228.200;178.63.116.152;75.127.96.89; };

report-interval 60 ;

score-per-query 1 ;

score-first-query 10 ;

min-table-size 500 ;

max-table-size 1000 ;

limit-maximum 32000 ;

# limit-enable-dampening min. 0.3 from limit-maximum

limit-enable-dampening 16000 ;

# limit-disable-dampening min. 0.1 from limit-maximum or limit-enable-dampening

limit-disable-dampening 5100 ;

limit-irrelevant 150 ;

score-qtype-any 100 ;

score-duplicates 100 ;

IPv4-prefix-length 24 ;

IPv6-prefix-length 48 ;

};

now i found in named.log this new information:

27-Nov-2012 15:56:08.181 client 93.170.127.96#592 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 15956

27-Nov-2012 15:56:08.181 93.170.127.0/24 dampening activated.

In the first Line at end, there is now the score value "15956"

In the second line you can see that this IP address /netblock in "Dampening" has come (limit-enable-dampening 16000).

After a week of testing, i can say it works very well.

I need no local firewall parameters or scripts to protect my test DNS server.

And here you can find all test, information about "DNS Dampening"

http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening

http://lutz.donnerhacke.de/eng/Blog/First-results-from-DNS-Dampening

http://lutz.donnerhacke.de/eng/Blog/Two-weeks-of-DNS-Dampening

http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening-under-the-microscope

http://lutz.donnerhacke.de/eng/Blog/DNS-Amplification-in-the-eyes-of-a-hosting-provider

Perhaps this information is also interesting for other with DNS servers.

Regards

Stefan
Am 28.03.2013 um 16:59 schrieb Guillaume Parent <gparent AT gparent.org>:

Hi,

If it works well, can we have a few details about it? I'm starting to have a decent firewall setup but I think all of us would benefit from the info.

Thanks,

On Mar 28, 2013 10:56 AM, "Stefan Sabolowitsch" <Stefan.Sabolowitsch AT felten-group.com> wrote:

Hi Jeff / all

Thank you for your help but i have a good solution with DNS Dampening and a pro active IPS / FW.

Thus, all systems are stable and accessible (i hope so for the future).

regards

Stefan

Am 28.03.2013 um 15:29 schrieb Jeff Taylor <shdwdrgn AT sourpuss.net>:

Have you looked at http://wiki.opennic.glue/Tier2Security ?
If you can post a few examples of what you're getting from tcpdump, we could try to help. Having several example packets will tell me if the bot hitting you is using a single port, or if there is a pattern in the attack we can use to block them. Unfortunately the log snippet you posted does not give any useful info.

On 03/28/2013 02:06 AM, Stefan Sabolowitsch wrote:

Hi all,

I can not say that it is quiet / silent for me.

On all three DNS Servers, i've been constantly DNS attacks for about 4 weeks and this with 1 -2 k requests per second

really small example:

03/28/2013-06:13:39.134900 [Drop] [**] [1:2016016:6] ET CURRENT_EVENTS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 178.32.81.230:47706 -> 192.168.100.160:53

But help me out here DNS Dampening and an pro active IPS System.

regards

Stefan

[opennic-discuss] Today's DDoS, Kenny Taylor, 03/27/2013
- Re: [opennic-discuss] Today's DDoS, mike, 03/27/2013
- <Possible follow-up(s)>
- Re: [opennic-discuss] Today's DDoS, Steven Coutts, 03/27/2013
  - Re: [opennic-discuss] Today's DDoS, Jeff Taylor, 03/28/2013
    - Re: [opennic-discuss] Today's DDoS, Stefan Sabolowitsch, 03/28/2013
      - Re: [opennic-discuss] Today's DDoS, Jeff Taylor, 03/28/2013
        
        Re: [opennic-discuss] Today's DDoS, Mike Skelly, 03/28/2013
        
        Re: [opennic-discuss] Today's DDoS, Stefan Sabolowitsch, 03/28/2013
        
        Re: [opennic-discuss] Today's DDoS, Guillaume Parent, 03/28/2013
        
        Re: [opennic-discuss] Today's DDoS, Stefan Sabolowitsch, 03/28/2013
        Re: [opennic-discuss] Today's DDoS, Guillaume Parent, 03/28/2013