Our W2K3 DNS servers seem to be under some kind of DOS attack, but I can't seem to find any description of, or rationale for the attack.
Three specific remote hosts have been bombarding two of our three DNS servers with lines like this:
8937 891.093750 91.205.43.25 ns2.me.com DNS DNS: QueryId = 0xDA7C, QUERY (Standard query), Query for of type NS on class Internet
8938 891.218750 91.205.43.25 ns2.me.com DNS DNS: QueryId = 0xA504, QUERY (Standard query), Query for of type NS on class Internet
8939 891.219727 91.205.43.25 ns1.me.com DNS DNS: QueryId = 0x4E3F, QUERY (Standard query), Query for of type NS on class Internet
8940 891.370117 69.197.181.26 ns1.me.com DNS DNS: QueryId = 0xA8CC, QUERY (Standard query), Query for of type NS on class Internet
8941 891.372070 69.197.181.26 ns2.me.com DNS DNS: QueryId = 0xC808, QUERY (Standard query), Query for of type NS on class Internet
8942 891.476562 91.205.43.25 ns2.me.com DNS DNS: QueryId = 0xCC37, QUERY (Standard query), Query for of type NS on class Internet
8943 891.478516 91.205.43.25 ns1.me.com DNS DNS: QueryId = 0xEDEC, QUERY (Standard query), Query for of type NS on class Internet
There have been about 10 per second of these for several days now. Each attacker tries both the attacked servers in rapid succession, although they never try our third server.
Here is a sample of the detail of each packet:
Frame:
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = UDP, Packet ID = 20114, Total IP Length = 45
+ Udp: SrcPort = 23909, DstPort = DNS(53), Length = 25
- Dns: QueryId = 0xEDEC, QUERY (Standard query), Query for of type NS on class Internet
QueryIdentifier: 60908 (0xEDEC)
- Flags: Query, Opcode - QUERY (Standard query), RD, Rcode - Success
QR: (0...............) Query
Opcode: (.0000...........) QUERY (Standard query) 0
AA: (.....0..........) Not authoritative
TC: (......0.........) Not truncated
RD: (.......1........) Recursion desired
RA: (........0.......) Recursive query support not available
Zero: (.........0......) 0
AuthenticatedData: (..........0.....) Not AuthenticatedData
CheckingDisabled: (...........0....) Not CheckingDisabled
Rcode: (............0000) Success 0
QuestionCount: 1 (0x1)
AnswerCount: 0 (0x0)
NameServerCount: 0 (0x0)
AdditionalCount: 0 (0x0)
- QRecord: of type NS on class Internet
QuestionName:
QuestionType: NS, Authoritative name server, 2(0x2)
QuestionClass: Internet, 1(0x1)
We currently have our firewall configured to simply drop requests from the three attackers, but if I allow them through, our server responds with a long answer listing the names (but not addresses) of all the root hint servers, and it seems to do this regardless of whether or not recursion is turned on.
Anyone have any idea what this is about? Can I get the incoming traffic to stop, or am I stuck blocking it at the firewall until they get bored?
Thanks for any info,
Paul
Best Answer
This may not be a DoS against you - it's much more likely that your machines are being used to send packets to someone else.
This is called an "amplification attack". They send you a 25 byte DNS request - you send back ~500 bytes of root hints.
If this is the case, the source IP addresses are actually spoofed, and they're taking advantage of your large response to enhance the effect of their DoS against those spoofed IP addresses.
Dropping the packets at your firewall is probably the best you can do at the moment.
However the real solution in the long term is to configure your DNS server to return the
REFUSEDresponse code for any query for which the server is not authoritative. If you do that then your server would no longer be a useful tool for future amplification attacks on other people.