DNS Attacks

Ken A ka at pacific.net
Thu Jan 19 09:54:21 CST 2012


On 1/18/2012 1:45 AM, Leigh Porter wrote:
>
>
> On 18 Jan 2012, at 05:06, "toor"<lists at 1337.mx>  wrote:
>
>> Hi list,
>>
>> I am wondering if anyone else has seen a large amount of DNS
>> queries coming from various IP ranges in China. I have been trying
>> to find a pattern in the attacks but so far I have come up blank. I
>> am completly guessing these are possibly DNS amplification attacks
>> but I am not sure. Usually what I see is this:
>>
>
> At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).
>
> It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS,
> a web server and an open SSH port.
>

We are seeing this too, though we don't have the kind of exposure some 
of the larger providers do. fwiw.. If for some reason, you can't use a 
dedicated box for DNS and/or a simple acl to protect services on a box, 
you can turn off connection tracking in iptables per-port using the 
NOTRACK target.

iptables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK
iptables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK

http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NOTRACKTARGET

Ken


-- 
Ken Anderson



More information about the NANOG mailing list