0

We have a small secondary DNS server running on our office ADSL. However, it is currently getting hundreds of requests a second for ripe.net, which is saturating our connection. From reading on the web it looks like it could be part of an amplified DNS attack. Its windows 2008, and stupidly I hadn't disabled recursion (I had done on the primary). Recursion has now been disabled for 48 hours, but the requests keep on comming (however, the impact on our bandwidth useage is less).

I contacted BT Business who said as the source isn't on their network it's not their problem. I have contacted the providers of the addresses of the source traffic, but they have all responded saying that the IP's have been spoofed.

I'm currently just trying to keep the firewall up to date and block them manually, however, it's not a long term solution.

Any advice on what to do next would be appreciated.

Ross Buggins
  • 198
  • 1
  • 2
  • 9
  • You've solved the problem -- you're not amplifying anymore. Why do you think you need to do anything else? – David Schwartz Jun 19 '12 at 10:17
  • I'm just conscious of the fact that I am still getting hundreds of requests a second coming in, even though they are not amplifying. I guess it's just a case of hoping that it calms down over time? – Ross Buggins Jun 19 '12 at 10:50
  • Yep. Someone figured out that you were an amplifier and programmed their drone army to use you. They have no way to tell that you aren't amplifying (until and unless they re-test) because all the packets they send are spoofed. – David Schwartz Jun 19 '12 at 11:05

1 Answers1

2

I'm not sure if there is anything else you can do, as I'm guessing that this server needs to be reachable by the world to reach your domains. If it wasn't needed then you could ask your ISP to block incoming DNS requests, so that your ADSL line would calm down.

pauska
  • 19,620
  • 5
  • 57
  • 75
  • Indeed I do need the DNS server to still be avaliable. I haven't looked into IP spoofing much before. I'm just surprised there is nothing BT can to to trace the actual source. Or is it likely that the request are comming from infected hosts as part of a botnet anyway? – Ross Buggins Jun 19 '12 at 10:54
  • DNS recursion attacks don't need spoofing to work since you had recursion enabled.. If recursion was disabled and you had a network with wide holes open then spoofing might have worked. – pauska Jun 19 '12 at 10:56
  • They need spoofing to work. If they weren't spoofed, each machine would attack itself rather than the army coordinating an attack on a chosen target. – David Schwartz Jun 19 '12 at 11:06
  • @DavidSchwartz it can work not spoofed too. Attacking machine will indeed receive unneeded (for the attackers purpose) replies, but still will do amplification attack on ripe.net – Sandman4 Jun 19 '12 at 12:45
  • That's what I was a little unsure about - are they trying to attack ripe.net or the hosts whos IP's they are spoofing? – Ross Buggins Jun 19 '12 at 13:04
  • The hosts whose IPs they are spoofing. – David Schwartz Jun 19 '12 at 13:34
  • @Sandman4: How will it attack ripe.net? His DNS server has the reply in cache. – David Schwartz Jun 19 '12 at 13:34
  • Having a read of http://www.isotf.org/news/DNS-Amplification-Attacks.pdf is useful – Ross Buggins Jun 19 '12 at 13:51
  • @DavidSchwartz you are right, sorry. – Sandman4 Jun 19 '12 at 20:41
  • After a month or so the requests dropped down to nothing - thanks for the advice. – Ross Buggins Sep 11 '12 at 15:51