Last time I've got warings about DNS Amplification Attack from NFOservers.com DDoS notifier
2015-12-30 23:28:52.609178 IP (tos 0x0, ttl 54, id 42635, offset 0, flags [+], proto UDP (17), length 1500) my.dns.ip.addr.53 > 63.251.20.x.18150: 41159| 20/0/1 cpsc.gov. MX hormel.cpsc.gov. 5, cpsc.gov.[|domain]
2015-12-30 23:28:52.609632 IP (tos 0x0, ttl 54, id 42636, offset 0, flags [+], proto UDP (17), length 1500) my.dns.ip.addr.53 > 63.251.20.x.18150: 41159| 20/0/1 cpsc.gov. MX stagg.cpsc.gov. 5, cpsc.gov.[|domain] ..
2015-12-30 23:28:52.610109 IP (tos 0x0, ttl 54, id 42637, offset 0, flags [+], proto UDP (17), length 1500) my.dns.ip.addr.53 > 63.251.20.x.18150: 41159| 20/0/1 cpsc.gov. MX hormel.cpsc.gov. 5, cpsc.gov.[|domain]
For info
my.dns.ip.addr.53 - my VIP - external IP DNS address
63.251.20.x.18150 - dont know what this IP address range is
My server have to offer recursive queries for internal company network I have configured in bind9 section:
acl "trusted" {
172.16.0.0/16;
localhost;
localnets;
};
options {
...
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
...
}
I configured also RRL - Response Rate Limit:
rate-limit {
responses-per-second 5;
window 5;
};
Looks like my DNS server (bind9) refused bad queries like in the log: http://pastebin.com/A3XGwh04
but I would like block such queries by iptables. I'd do some research and found block by IPTABLES:
iptables -A INPUT -p udp -m udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery --rsource
iptables -A INPUT -p udp -m udp --dport 53 -m string --from 50 --algo bm --hex-string "|0000FF0001|" -m recent --name dnsanyquery --rcheck --seconds 10 --hitcount 1 -j DROP
but when I test my server from test machine with command: dig +nocmd @my.ip.dsn.addr domain.com any +multiline +noall +answer I'm getting no answer from dns and in addition logs still are full of queries with cpsc.gov so I decided to back my default iptables configuration
Next research i've found that soultions made by conntrack but it may cause NAT problems. My DNS is NAT'ed
When used another soultion found here on other topics:
iptables -A INPUT -p udp --port 53 -m hashlimit --hashlimit 1/minute --hashlimit-burst 5 -j ACCEPT
iptables -A INPUT -p udp --port 53 -j DROP
got nagios warrings - SOA sync problem, domain SLAVE not found etc
My next try:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|637073632e676f76|' -j DROP -m comment --comment "DROP DNS Q cpsc.gov"
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 50 --algo bm --hex-string '|6370736303676f763f|' -j DROP -m comment --comment "DROP DNS Q cpsc.gov"
-A INPUT -p udp -m udp --dport 53 -m string --string "cpsc.gov" --algo bm --from 40 --to 50 -m comment --comment "DROP DNS Q cpsc.gov" -j DROP
but still queries in logs
I'm still researching solution but maybe anyone here is much experienced with such attacks and can help me block queries like: cpsc.gov
query-errors: info: client 93.48.40.139#54822 (cpsc.gov): rate limit drop REFUSED error response to 93.48.40.0/24
Any help is appreciated.
VERY Important: Even if I disable recursion for ALL, my logs are full of warings like rate limit drop REFUSED error response to thats why I want block it by iptables.