I have a low bandwidth connection to my own DNS server that serves only one (my) domain externally. Since Sep,1 I've paid attention to very slooooooow internet response and did not find any visible reason. Next day I've notice that my named uses about 6% of CPU, that is not reasonable, because it not supposed be heavy used. The service was stopped, and voila! ; Internet response jump back to normal. Another test: blocking incoming UDP 53 port solved situation too, with bind service UP back. O-o.... Attack coming... Why me ? Just had registered DNS server ...
Let's check what really happens. What logs to see ? No logs... We have to turn them on. Found a lot's of brilliant examples on internet. If you a serious DNS provider, follow that recommendations. My aim was send log about queryes to syslog (will explain later, why).
Here is a relevant part of /etc/named.conf:
logging { channel syslog_user { syslog user; severity debug 10; print-category yes; print-severity yes; }; category queries { syslog_user; }; };
Start named again (and remove firewall rule blocking UDP 53 port, mentioned above). Do you have enough space in /var ? Let's inspect the attack. Here are typical queryies:
info: client 122.136.196.117#25379: view external: query: aa.mmtac1.com IN ANY +E (192.168.20.50) info: client 199.168.99.130#46235: view external: query: bitstress.com IN ANY +E (192.168.20.50) info: client 37.49.226.222#25345: view external: query: isc.org IN ANY +ED (192.168.20.50) info: client 80.82.65.204#49037: view external: query: xplodin.com IN A +E (192.168.20.50) info: client 31.220.0.92#4334: view external: query: . IN ANY +E (192.168.20.50)
My DNS serve two views called "external" and "lan". These view external: related only to mine configuration, yours messages may be vary.
My DNS serve my domain name _only_ over external view. Therefore any other request will be considered as attempted attack. Then offending IP will be blocked immediately. Probably they are also victims, then iptables rules should be regulary flushed to reset blocking list. Bind will be configured to pass it's queryes to syslog-ng. It will detect attacking lines by it's rich filters and start external helper.
Create script, let's name it /root/bin/d_dns_attack:
#!/bin/bash while read line ; do # Dig client IP from query info: ip=$(echo "$line" | sed -e 's/\(.* client \)\([0-9\.]*\)\(#[0-9]*: view.*\)/\2/') # Check if this IP already blocked iptables -L -n | grep -q "DROP.* udp .*$ip .*udp" && continue # Add it to DROP list. Flush iptables regulary (daily ?) iptables --insert INPUT -p udp --dport 53 -s $ip/32 -j DROP done
Again, view keyword in sed regular expression relevant to my configuration only. Adopt this to your needs.
Install syslog-ng instead of what_you_have. Check it started at system start. Find its configuration file. In my (Fedora) installation, it resides at /etc/syslog-ng/syslog-ng.conf. Add something like that:
# bind attackers added to iptables. Do not forget flush iptables sometimes # good entry example: #Sep 22 18:12:36 tower named[1795]: queries: info: client 37.142.90.100#57898: view external: query: tower.voleg.info IN A + (192.168.20.50) filter f_dns_attack { ( not match("voleg.info") ) and match("view external") }; destination d_dns_attack { program("/root/bin/d_dns_attack"); }; log { source(s_sys); filter(f_dns_attack); destination(d_dns_attack); };
Again, bad queries detected by view external keyword, that is relevant to my configuration only, your may be differ.
Check results by reading /var/log/messages and iptables -L -n command. Here are one day attackers:
DROP udp -- 223.207.228.41 0.0.0.0/0 udp dpt:53 DROP udp -- 31.220.0.92 0.0.0.0/0 udp dpt:53 DROP udp -- 119.92.60.115 0.0.0.0/0 udp dpt:53 DROP udp -- 171.4.126.14 0.0.0.0/0 udp dpt:53 DROP udp -- 46.65.236.90 0.0.0.0/0 udp dpt:53 DROP udp -- 124.6.181.90 0.0.0.0/0 udp dpt:53 DROP udp -- 180.183.155.109 0.0.0.0/0 udp dpt:53 DROP udp -- 81.17.30.34 0.0.0.0/0 udp dpt:53 DROP udp -- 80.82.65.204 0.0.0.0/0 udp dpt:53 DROP udp -- 223.205.160.116 0.0.0.0/0 udp dpt:53 DROP udp -- 198.27.85.112 0.0.0.0/0 udp dpt:53 DROP udp -- 85.25.130.11 0.0.0.0/0 udp dpt:53 DROP udp -- 101.109.207.90 0.0.0.0/0 udp dpt:53 DROP udp -- 37.59.76.13 0.0.0.0/0 udp dpt:53 DROP udp -- 64.40.9.26 0.0.0.0/0 udp dpt:53 DROP udp -- 207.244.68.10 0.0.0.0/0 udp dpt:53 DROP udp -- 171.98.62.212 0.0.0.0/0 udp dpt:53 DROP udp -- 198.7.57.200 0.0.0.0/0 udp dpt:53 DROP udp -- 176.31.24.243 0.0.0.0/0 udp dpt:53 DROP udp -- 38.67.138.54 0.0.0.0/0 udp dpt:53 DROP udp -- 192.241.202.217 0.0.0.0/0 udp dpt:53 DROP udp -- 171.98.86.21 0.0.0.0/0 udp dpt:53 DROP udp -- 124.36.56.118 0.0.0.0/0 udp dpt:53 DROP udp -- 108.59.9.97 0.0.0.0/0 udp dpt:53 DROP udp -- 119.93.7.211 0.0.0.0/0 udp dpt:53 DROP udp -- 31.220.0.49 0.0.0.0/0 udp dpt:53 DROP udp -- 31.204.130.42 0.0.0.0/0 udp dpt:53 DROP udp -- 94.75.201.83 0.0.0.0/0 udp dpt:53 DROP udp -- 184.22.178.26 0.0.0.0/0 udp dpt:53 DROP udp -- 118.139.182.60 0.0.0.0/0 udp dpt:53 DROP udp -- 121.58.235.130 0.0.0.0/0 udp dpt:53 DROP udp -- 37.49.226.222 0.0.0.0/0 udp dpt:53 DROP udp -- 192.210.211.8 0.0.0.0/0 udp dpt:53 DROP udp -- 31.220.0.73 0.0.0.0/0 udp dpt:53 DROP udp -- 171.99.144.123 0.0.0.0/0 udp dpt:53 DROP udp -- 49.231.102.238 0.0.0.0/0 udp dpt:53 DROP udp -- 89.248.161.138 0.0.0.0/0 udp dpt:53 DROP udp -- 1.1.215.219 0.0.0.0/0 udp dpt:53 DROP udp -- 125.25.174.73 0.0.0.0/0 udp dpt:53 DROP udp -- 223.207.150.239 0.0.0.0/0 udp dpt:53 DROP udp -- 192.210.200.214 0.0.0.0/0 udp dpt:53 DROP udp -- 199.168.99.130 0.0.0.0/0 udp dpt:53 DROP udp -- 101.51.189.92 0.0.0.0/0 udp dpt:53 DROP udp -- 31.220.0.67 0.0.0.0/0 udp dpt:53 DROP udp -- 5.79.87.80 0.0.0.0/0 udp dpt:53 DROP udp -- 82.22.39.206 0.0.0.0/0 udp dpt:53 DROP udp -- 199.192.0.157 0.0.0.0/0 udp dpt:53 DROP udp -- 110.170.48.130 0.0.0.0/0 udp dpt:53 DROP udp -- 113.53.99.141 0.0.0.0/0 udp dpt:53 DROP udp -- 87.2.112.67 0.0.0.0/0 udp dpt:53 DROP udp -- 171.98.126.182 0.0.0.0/0 udp dpt:53 DROP udp -- 198.245.60.162 0.0.0.0/0 udp dpt:53 DROP udp -- 69.197.35.79 0.0.0.0/0 udp dpt:53 DROP udp -- 223.205.248.95 0.0.0.0/0 udp dpt:53 DROP udp -- 184.95.39.73 0.0.0.0/0 udp dpt:53 DROP udp -- 64.62.186.48 0.0.0.0/0 udp dpt:53 DROP udp -- 38.64.138.166 0.0.0.0/0 udp dpt:53 DROP udp -- 79.25.98.53 0.0.0.0/0 udp dpt:53 DROP udp -- 37.59.176.216 0.0.0.0/0 udp dpt:53 DROP udp -- 192.96.206.190 0.0.0.0/0 udp dpt:53 DROP udp -- 199.192.157.102 0.0.0.0/0 udp dpt:53 DROP udp -- 118.172.132.91 0.0.0.0/0 udp dpt:53 DROP udp -- 111.84.51.127 0.0.0.0/0 udp dpt:53 DROP udp -- 122.136.196.117 0.0.0.0/0 udp dpt:53 DROP udp -- 180.180.50.146 0.0.0.0/0 udp dpt:53 DROP udp -- 31.220.0.50 0.0.0.0/0 udp dpt:53
I thought it is about DDOS, but these are looks like some virus victims.
Actually all this not needed if you did Securing BIND9