Strange DNS DOS attack -- Endless Recursive Queries for

Question

Our W2K3 DNS servers seem to be under some kind of DOS attack, but I can't seem to find any description of, or rationale for the attack.

Three specific remote hosts have been bombarding two of our three DNS servers with lines like this:

8937  891.093750  91.205.43.25  ns2.me.com  DNS  DNS: QueryId = 0xDA7C, QUERY (Standard query), Query  for   of type NS on class Internet
8938  891.218750  91.205.43.25  ns2.me.com  DNS  DNS: QueryId = 0xA504, QUERY (Standard query), Query  for   of type NS on class Internet
8939  891.219727  91.205.43.25  ns1.me.com  DNS  DNS: QueryId = 0x4E3F, QUERY (Standard query), Query  for   of type NS on class Internet
8940  891.370117  69.197.181.26   ns1.me.com  DNS  DNS: QueryId = 0xA8CC, QUERY (Standard query), Query  for   of type NS on class Internet
8941  891.372070  69.197.181.26   ns2.me.com  DNS  DNS: QueryId = 0xC808, QUERY (Standard query), Query  for   of type NS on class Internet
8942  891.476562  91.205.43.25  ns2.me.com  DNS  DNS: QueryId = 0xCC37, QUERY (Standard query), Query  for   of type NS on class Internet
8943  891.478516  91.205.43.25  ns1.me.com  DNS  DNS: QueryId = 0xEDEC, QUERY (Standard query), Query  for   of type NS on class Internet

There have been about 10 per second of these for several days now. Each attacker tries both the attacked servers in rapid succession, although they never try our third server.

Here is a sample of the detail of each packet:

  Frame: 
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = UDP, Packet ID = 20114, Total IP Length = 45
+ Udp: SrcPort = 23909, DstPort = DNS(53), Length = 25
- Dns: QueryId = 0xEDEC, QUERY (Standard query), Query  for   of type NS on class Internet
    QueryIdentifier: 60908 (0xEDEC)
  - Flags:  Query, Opcode - QUERY (Standard query), RD, Rcode - Success
     QR:                (0...............) Query
     Opcode:            (.0000...........) QUERY (Standard query) 0
     AA:                (.....0..........) Not authoritative
     TC:                (......0.........) Not truncated
     RD:                (.......1........) Recursion desired
     RA:                (........0.......) Recursive query support not available
     Zero:              (.........0......) 0
     AuthenticatedData: (..........0.....) Not AuthenticatedData
     CheckingDisabled:  (...........0....) Not CheckingDisabled
     Rcode:             (............0000) Success 0
    QuestionCount: 1 (0x1)
    AnswerCount: 0 (0x0)
    NameServerCount: 0 (0x0)
    AdditionalCount: 0 (0x0)
  - QRecord:   of type NS on class Internet
     QuestionName: 
     QuestionType: NS, Authoritative name server, 2(0x2)
     QuestionClass: Internet, 1(0x1)

We currently have our firewall configured to simply drop requests from the three attackers, but if I allow them through, our server responds with a long answer listing the names (but not addresses) of all the root hint servers, and it seems to do this regardless of whether or not recursion is turned on.

Anyone have any idea what this is about? Can I get the incoming traffic to stop, or am I stuck blocking it at the firewall until they get bored?

Thanks for any info,
Paul

Just for the record, this attack continues unabated, three weeks later. The spoofed sender (i.e. the target) changes from day-to-day, but our firewall is still dropping 1.2 to 1.5 million packets a day just from this one issue. — evenmoreconfused, Aug 13 '10 at 18:06

score 6 · Answer 1 · answered Jul 25 '10 at 08:36

This may not be a DoS against you - it's much more likely that your machines are being used to send packets to someone else.

This is called an "amplification attack". They send you a 25 byte DNS request - you send back ~500 bytes of root hints.

If this is the case, the source IP addresses are actually spoofed, and they're taking advantage of your large response to enhance the effect of their DoS against those spoofed IP addresses.

Dropping the packets at your firewall is probably the best you can do at the moment.

However the real solution in the long term is to configure your DNS server to return the REFUSED response code for any query for which the server is not authoritative. If you do that then your server would no longer be a useful tool for future amplification attacks on other people.

Thank you, I think this is the explanation I was looking for. I have tried to configure the W2K3 DNS service to return REFUSED, but it seems to always respond with a list of root hints, regardless of what settings I use. Perhaps this is why they choose this particular construction of query? — evenmoreconfused, Jul 25 '10 at 12:01

score 2 · Answer 2 · edited Apr 13 '17 at 12:14

2

Perhaps echoing Alnitak, I don't understand the purpose of your DNS servers.

Are they public-facing authoritative servers providing information about your domains? If so, no need to respond to any other queries other than those they are authoritative for. 10 requests per second doesn't sound like anything you should worry about if you're not sending responses anyway.

Is this an internal recursive / caching server, providing services for internal users? If so, there should be a view that can match-clients (in BIND syntax) and not receive requests from outside your network. If you already have this and the requests are coming from segments you control, well, hunt those clients down!

edited Apr 13 '17 at 12:14

Community

1

answered Jul 25 '10 at 11:20

medina

1,970
10
7

These are public-facing servers -- I do clearly understand the need for the two different types. The problem is that I can't seem to configure the servers not to return the root hints for this specific. I'm going to have to do more experiments to see if I can find a solution. Sadly our firewall doesn't seem to be sophisticated enough to filter only this type of request (i.e. a valid DNS request from a random for a blank domain). It is true that 10 requests a second isn't the end of the world, but it's annoying and, until Alnitak's explanation, I didn't understand the point. – evenmoreconfused Jul 25 '10 at 12:14
see if you can filter by packet length instead - the ". NS" question is very short - real requests to your DNS server will be longer because they have your domain name in them. – Alnitak Jul 25 '10 at 13:59
What DNS server software are you using? -- nm, I see you indicated W2K3 DNS in the o.p. – medina Jul 25 '10 at 14:58

score 0 · Answer 3 · answered Jul 25 '10 at 02:59

You can't control the behavior of others. Even if you fix this response at your server, they might decide to move on and vary their attack, rather than just "getting bored". Since you know where they are now, I think blocking them at your firewall entire is probably your best and safest option.

That said, you do also want to correct your server response to protect against future attacks or even if your current attackers just switch IPs. But someone else can help with that part of the question better than I.

Strange DNS DOS attack -- Endless Recursive Queries for

3 Answers3