DNS DoS attacks

Post Reply
nospa
Junior Member
Posts: 16
Joined: 11 Aug 2011, 00:55

DNS DoS attacks

Post by nospa »

I would like to prevent DNS attacks by limiting number of connections to DNS servers:

IPTABLES -I INPUT -p udp --dport 53 -m recent --set --name DNSQF --rsource
IPTABLES -I INPUT -p udp --dport 53 -m recent --update --seconds 1 --hitcount 9 --name DNSQF --rsource -j DROP
IPTABLES -I INPUT -p udp --dport 53 -m recent --set --name DNSHF --rsource
IPTABLES -I INPUT -p udp --dport 53 -m recent --update --seconds 7 --hitcount 20 --name DNSHF --rsource -j DROP

I read that they must to be put before other INPUT rules.

How to do this with csf? When I use csfpost.sh they are put after other INPUT rules.

[edit] found to set "iptables -I INPUT 1 xxxxx" for first rule etc...

BTW - are those rules "safe" for cpanel webhosting server?
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: DNS DoS attacks

Post by chirpy »

That functionality is available using the PORTFLOOD setting.
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Re: DNS DoS attacks

Post by sneader »

Hi Chirpy. I'm wondering if you could provide an example configuration? I am having a similar issue, where I am being hit with hundreds of connections on port 53 from certain IP addresses, all doing IN ANY DNS queries for the same couple of domain names. When I have talked to the admins of the source IPs, they say that are under DDoS attack, and that my server is part of it. I.e. the source IP is spoofed, and so I am sending all these DNS query results to the victim.

I suspect the DNS queries are using UDP (easily spoofed), so CONNLIMIT won't work. I have tried PORTFLOOD, as you have suggested, but it is not working:

53;udp;20;10,53;tcp;20;10

i.e. if more than 20 connections to tcp/udp 53 within 10 seconds, then block that IP from using port 53 for at least 10 seconds. However, it does not work. I can tail the DNS query log and see a few IPs hit the server as heavy as 50 times per SECOND and continue this for as long as they want.

Can you tell me if I'm doing something wrong?

- Scott
krytie
Junior Member
Posts: 2
Joined: 07 Mar 2013, 13:25

Re: DNS DoS attacks

Post by krytie »

Hi,

I am having this same issue.. i am getting hundreds of DNS requests as part of a dns DDOS attack. tcpdump shows.

00:21:37.612632 IP victim.25345 > myserver.domain: 10809+ [1au] ANY? isc<DOT>org. (36)
00:21:37.612904 IP myserver.domain > victim.25345: 10809- 0/13/1 (247)

my port flood setting is: 22;tcp;5;300,53;udp;20;300,53;tcp;20;300,25;tcp;20;300

what am i doing wrong? its slaying my data limit :(
user4473
Junior Member
Posts: 7
Joined: 20 Aug 2012, 16:28

Re: DNS DoS attacks

Post by user4473 »

This is a DNS Reflective Amplification Attack.
This rule limits ANY queries to 10 in 600 seconds.

Code: Select all

iptables -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
iptables -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 600 --hitcount 10 -j DROP
krytie
Junior Member
Posts: 2
Joined: 07 Mar 2013, 13:25

Re: DNS DoS attacks

Post by krytie »

Hi,

thanks for the reply. i had found other iptables lines like this in my initial googlings. but i kept getting the same error

# iptables -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
iptables: No chain/target/match by that name
# iptables -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 600 --hitcount 10 -j DROP
iptables: No chain/target/match by that name

is this a module issue maybe?
user4473
Junior Member
Posts: 7
Joined: 20 Aug 2012, 16:28

Re: DNS DoS attacks

Post by user4473 »

You need kernel config NETFILTER_XT_MATCH_RECENT and NETFILTER_XT_MATCH_STRING

"recent" match support
"string" match support
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Re: DNS DoS attacks

Post by sneader »

I would like to learn how to fix this from within CSF.

- Scott
Post Reply