2

I just received an email from my website internet provider that my server has been "involved as open resolvers in DDoS attacks (DNS Reflection) over the past few weeks."

Here is the full email:

Subject: DNS amplification attack Dear Sir or Madam,

We have received spam/abuse notification. Please take the necessary steps to prevent this from happening again in future.

Furthermore, we would request that you provide both ourselves and the person who has submitted this complaint with a short statement within 24 hours. This tatement should include details of the events leading up to the incident and the steps you are taking to deal with it.

Next steps: - Solve the problem - Send your statement to us - Send your statement to the person making the complaint per email

The details will then be checked by a colleague, who will coordinate further proceedings. In the event of several complaints, this may lead to the server being locked. ----- attachment -----

Dear Sir or Madam,

We have been informed that IP addresses from your network range have been involved as open resolvers in DDoS attacks (DNS Reflection) over the past few weeks.

Please see the attachment to this message for the IP addresses of the open DNS servers in your network range.

----- log file -----

Affected IP: 176.9.1.67

Thank you,

What can I do to confirm this and to identify the origin of this attack?

Thanks Eco

user180065
  • 31
  • 2

1 Answers1

11

You can't identify the origin of the attack-- the packets your DNS server is receiving are from spoofed source addresses.

Basically, an attacker is sending packets with forged source addresses to your DNS server. They're asking it questions that will result in it sending large responses. To use your DNS server as an attack tool the attacker is spoofing the source address of a host that they want to flood with garbage traffic and directing large numbers of DNS servers, just like yours, to bombard that host with bogus responses. Your DNS server isn't compromised or doing anything wrong, per se, but you shouldn't allow your DNS server to send these large responses to arbitrary questions to the Internet.

Basically, you need to reconfigure your DNS server not to provide recursive resolution services to the Internet. Your DNS server should answer requests only for the domains it is authoritative for.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thanks Evan, could you point to some guide on how to do this type of configuration? – user180065 Jul 02 '13 at 19:49
  • 3
    @user180065 If you don't know how to turn off recursion, you probably shouldn't be operating a DNS server with a public IP address. You have not stated what type of DNS software you are using, so we cannot tell you what changes are necessary other than that. – Andrew B Jul 02 '13 at 22:06