What's the best solution in CSF for DNS/named flooding?

6 posts Page 1 of 1
jols
Junior Member
Posts: 111
Joined: 08 May 2007, 04:43


Our /var/log/messages is full of entries like this:

Sep 22 04:52:05 apogee named[32381]: client 62.6.40.178#48758: view external: query (cache) 'homefarmland.com/MX/IN' denied
Sep 22 04:52:06 apogee named[32381]: client 24.197.239.154#52579: view external: query (cache) 'homefarmland.com/MX/IN' denied
Sep 22 04:52:07 apogee named[32381]: client 74.125.181.25#65069: view external: query (cache) 'stevengoodphoto.com/A/IN' denied
Sep 22 04:52:07 apogee named[32381]: client 74.125.17.91#52658: view external: query (cache) 'stevengoodphoto.com/A/IN' denied
Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#37547: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#33757: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#29783: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
Sep 22 04:52:08 apogee named[32381]: client 84.14.138.206#44995: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
Sep 22 04:52:08 apogee named[32381]: client 173.203.4.49#26700: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:09 apogee named[32381]: client 173.203.4.49#42211: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:09 apogee named[32381]: client 173.203.4.48#33108: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:09 apogee named[32381]: client 173.203.4.48#33796: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:09 apogee named[32381]: client 173.203.4.46#42156: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:09 apogee named[32381]: client 173.203.4.46#23844: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:10 apogee named[32381]: client 150.70.64.50#24021: view external: query (cache) 'servicemanagementart.ca/AAAA/IN' denied
Sep 22 04:52:11 apogee named[32381]: client 192.94.94.26#12494: view external: query (cache) 'homefarmland.com/MX/IN' denied
Sep 22 04:52:11 apogee named[32381]: client 199.21.99.69#5335: view external: query (cache) 'luxuryskinstore.com/A/IN' denied
Sep 22 04:52:13 apogee named[32381]: client 192.94.94.27#51031: view external: query (cache) 'homefarmland.com/MX/IN' denied
Sep 22 04:52:16 apogee named[32381]: client 192.94.94.26#56678: view external: query (cache) 'homefarmland.com/MX/IN' denied
Sep 22 04:52:16 apogee named[32381]: client 87.236.197.113#26156: view external: query (cache) 'homefarmland.com/A/IN' denied

I believe the attacker may be using our server as a reflection attack by hitting our DNS services this way.

We've got all the standard security configs in named.conf but I have not switched off allow-recursion { trusted; }; yet, and recursion yes; is still (set to yes) further down the list.

Currently I've got a shell script that runs every 20 seconds, tails the last 30 log entries in /var/named/data/named.run that contain the word "denied" then blocks the IPs via /etc/csf/csf.pl -d . But the attacking IPs are seemingly endless.

Advice anyone?
jols
Junior Member
Posts: 111
Joined: 08 May 2007, 04:43


More detail for my named.conf settings:

In

view "external" {

Recursion is set to "no".

In

view "localhost_resolver" {

Recursion is set to "yes"

In

view "internal" {

Recursion is set to "yes"


So could these just be attempts that are essentially not sending responses out, and are truly being denied? If so, then how the heck can I prevent logging for this stuff?
jols
Junior Member
Posts: 111
Joined: 08 May 2007, 04:43


Okay, after spending a few hours with this, I have surmised that these "attacks" are not having any effect due to the protective settings in named.conf, so then I found out how to just block these log entries, from another post here:

http://forums.cpanel.net/f5/why-named-l ... 70302.html

So far, so good.
jols
Junior Member
Posts: 111
Joined: 08 May 2007, 04:43


Update, yes, I've found that this logging can be switched off using "category security { null; };", but I would rather not switch off general security logging for named. Does anyone know of a way to switch off just and only the "query (cache)" logging?

By the way, such queries are coming in as high as 20 times per second on one of our servers, so in any case, it's a real problem.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13


There is an option in csf to block persistent external query attacks - LF_BIND, but it should be used with care.
aegis
Junior Member
Posts: 11
Joined: 31 Jan 2010, 00:13


A client of mine has been getting repeatedly hit by these kinds of DNS attacks and would appreciate if anyone has any further insight as to how to solve it.

Like the OP their DNS was getting repeatedly asked to respond to A / MX record requests for domains they used to host but no longer did. The source IP changed frequently but the 'target' IP that the attacker was using would be a complete class C on port 80. The denied request therefore amplifying the data in a classic reflection attack.

LF_INTERVAL is 300
LF_BIND is 100

Recursion is set to no for external, yes for local/internal.

The data center detects the reflection attack based on repeated, sequential attacks to the same class C and raises an abuse notice with the potential to block the server should it persist. Each time we've manually had to csf -d potential attackers and do our best to placate the data center.

Is there something else in CSF that can be tweaked to stop this kind of attack? Or perhaps some way to quietly fail the external queries for domains that no longer exist on the server?
6 posts Page 1 of 1