We have several virtual machines on a public network due to the ip addresses being public. We received the following email today:
We have received the following complaint for xxx.xxx.xxx.xxx. Please investigate, take any necessary actions, and reply back to this email with full resolution details within 24 hours to avoid suspension and/or termination for TOS violation. In order to ensure all communication is received, please do not open a support ticket. Simply respond to this email and we will get back with you. Only open support ticket if you need a technician to suspend the server.
|----------------------------------------------------------------| | Below this line is an example of a complaint we have received: | |----------------------------------------------------------------|
Subject: Open recursive resolver used for an attack: xxx.xxx.xxx.xxx Body: You appear to be running an open recursive resolver at IP address xxx.xxx.xxx.xxx that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.
Please consider reconfiguring your resolver in one or more of these ways:
- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)
- To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)
More information on this type of attack and what each party can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A
If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.
Example DNS responses from your resolver during this attack are given below.=20 Date/timestamps (far left) are UTC.
... removed to hide ip address
(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "185".)
I followed the link:
https://www.us-cert.gov/ncas/alerts/TA13-088A
From what it is telling me, evil do-ers out there are using our servers to cause denial of service attacks, at least that is what I gather from the link.
It suggests we make the following change:
My questions are, will this cause issues with the other virtual machines on the network and will this fix the problem? Is there any repercussions on making this change?
Any have any suggestions on handling this? We have 3 domain controllers that we probably need adjust to prevent this.
Thanks in advanced!
EDIT#1
If we set up the firewall rule to only include our ip addresses on port 52, would that solve our problem? Just a thought.
