Page 1 of 1

DNS DoS attacks

Posted: 24 Sep 2012, 20:31
by nospa
I would like to prevent DNS attacks by limiting number of connections to DNS servers:

IPTABLES -I INPUT -p udp --dport 53 -m recent --set --name DNSQF --rsource
IPTABLES -I INPUT -p udp --dport 53 -m recent --update --seconds 1 --hitcount 9 --name DNSQF --rsource -j DROP
IPTABLES -I INPUT -p udp --dport 53 -m recent --set --name DNSHF --rsource
IPTABLES -I INPUT -p udp --dport 53 -m recent --update --seconds 7 --hitcount 20 --name DNSHF --rsource -j DROP

I read that they must to be put before other INPUT rules.

How to do this with csf? When I use csfpost.sh they are put after other INPUT rules.

[edit] found to set "iptables -I INPUT 1 xxxxx" for first rule etc...

BTW - are those rules "safe" for cpanel webhosting server?

Re: DNS DoS attacks

Posted: 08 Oct 2012, 10:11
by chirpy
That functionality is available using the PORTFLOOD setting.

Re: DNS DoS attacks

Posted: 08 Oct 2012, 19:20
by sneader
Hi Chirpy. I'm wondering if you could provide an example configuration? I am having a similar issue, where I am being hit with hundreds of connections on port 53 from certain IP addresses, all doing IN ANY DNS queries for the same couple of domain names. When I have talked to the admins of the source IPs, they say that are under DDoS attack, and that my server is part of it. I.e. the source IP is spoofed, and so I am sending all these DNS query results to the victim.

I suspect the DNS queries are using UDP (easily spoofed), so CONNLIMIT won't work. I have tried PORTFLOOD, as you have suggested, but it is not working:

53;udp;20;10,53;tcp;20;10

i.e. if more than 20 connections to tcp/udp 53 within 10 seconds, then block that IP from using port 53 for at least 10 seconds. However, it does not work. I can tail the DNS query log and see a few IPs hit the server as heavy as 50 times per SECOND and continue this for as long as they want.

Can you tell me if I'm doing something wrong?

- Scott

Re: DNS DoS attacks

Posted: 07 Mar 2013, 13:37
by krytie
Hi,

I am having this same issue.. i am getting hundreds of DNS requests as part of a dns DDOS attack. tcpdump shows.

00:21:37.612632 IP victim.25345 > myserver.domain: 10809+ [1au] ANY? isc<DOT>org. (36)
00:21:37.612904 IP myserver.domain > victim.25345: 10809- 0/13/1 (247)

my port flood setting is: 22;tcp;5;300,53;udp;20;300,53;tcp;20;300,25;tcp;20;300

what am i doing wrong? its slaying my data limit :(

Re: DNS DoS attacks

Posted: 07 Mar 2013, 14:48
by user4473
This is a DNS Reflective Amplification Attack.
This rule limits ANY queries to 10 in 600 seconds.

Code: Select all

iptables -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
iptables -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 600 --hitcount 10 -j DROP

Re: DNS DoS attacks

Posted: 07 Mar 2013, 22:54
by krytie
Hi,

thanks for the reply. i had found other iptables lines like this in my initial googlings. but i kept getting the same error

# iptables -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
iptables: No chain/target/match by that name
# iptables -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 600 --hitcount 10 -j DROP
iptables: No chain/target/match by that name

is this a module issue maybe?

Re: DNS DoS attacks

Posted: 07 Mar 2013, 23:52
by user4473
You need kernel config NETFILTER_XT_MATCH_RECENT and NETFILTER_XT_MATCH_STRING

"recent" match support
"string" match support

Re: DNS DoS attacks

Posted: 08 Mar 2013, 03:54
by sneader
I would like to learn how to fix this from within CSF.

- Scott