On 09/01/18 11:10, Anthony de Boer via talk wrote:
Michael Galea via talk wrote:
I am experiencing what I believe is a DNS amplification attack on my
bind9 DNS server.
I'm seeing very of the following on different IPs
20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+
[1au] ANY? USADF.GOV. (38)
My server responds
20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679
Refused- 0/0/1 (38)
I imagine the IPs are spoofed.
I agree with the diagnosis, but IMHO it might be better to configure your
nameserver not to respond at all to such queries, especially as anything
you emit at all is likely going to a victim of an attack.
Internet-exposed DNS servers should really only respond to queries in
domains for which they're authoritive. Recursive servers should be kept
private enough to respond only to their local users.
Disclaimer: it's been years since I ran nameservers for a midsized ISP
and had to be on top of all this.
I regularly test my email and dns servers, to ensure they are
non-forwarding/non-recursive. Someone on the list posted a dns testing
link (https://zonemaster.iis.se) recently and I used it to reconfirm I
am still non-recursive.
My server isn't responding to request for a domain its not authoritative
for, its issuing a harmful refusal to an innocent target spoofed by an
attacker.
Out of interest, after I got fail2ban/shorewall working the way I want,
I turned it off and activated rate limiting in bind.
There are pros and cons to each.
I will say I like the bind solution better because it is simpler and
doesn't add software.
The fail2ban solution is cleaner in that eliminates all further traffic
(until the unban time), and as shorewall drops the attackers packets,
there is no confirmation to the attackers or wasteful refusal sent to
the attackers target. Bind rate limiting will let a bit of that happen.
I have no conclusions yet. After 20 hours of the fail2ban solution being
in place, the attackers stop attacking. So bind rate limiting hasn't had
a chance to demonstrate itself.
Am I missing some other configuration in bind?
--
Michael Galea
---
Talk Mailing List
[email protected]
https://gtalug.org/mailman/listinfo/talk
