Re: Bind dns amplification attack
Hello guys, I see, my server is authoritative for some internal domain, so I will try Allow-query. Thank you. But the attack is from my allowed IP addresses so I can't block the entire zone. I tried NXDOMAINS-PER-SECOND but server is not giving nxdomain response but servfail. How about ERRORS-PER-SECOND: sets the limit of error (REFUSED,FORMERR or SERVFAIL)? BR, Nyamka From: bind-users on behalf of Matus UHLAR - fantomas Sent: Wednesday, March 29, 2023 3:24 PM To: bind-users@lists.isc.org Subject: Re: Bind dns amplification attack >On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote: >>Yes, this is one of the problem "authoritative zones for local use". On 28.03.23 12:18, Grant Taylor via bind-users wrote: >Authorizing the /zone/ for local use wasn't the problem. The problem >was that the world could get some of that zone's data from the query >cache even if they couldn't query the zone directly. when was this? querying cache is by default allowed for the same clients as recursion, perhaps unless it was old BIND version. >>The default root "hint" zone is only available for those who have >>recursion available. >I feel like the "root hint zone" is considerably different than "root >zone" proper. The fact that they have different zone types seems to >support that. yes. The content of hint zone is abused to generate aplification attack: Mar 26 16:03:53 fantomas named[1654]: client @0xe7379d50 195.88.25.138#59467 (.): query (cache) './ANY/IN' denied If you have local root zone, response is provided by default, it can be huge: % dig +noanswer +noadditional +nocomments +nocmd +noquestion -t any . @fantomas.fantomas.sk ;; Query time: 0 msec ;; SERVER: 195.80.174.185#53(195.80.174.185) ;; WHEN: Wed Mar 29 09:23:27 CEST 2023 ;; MSG SIZE rcvd: 2904 but default "type hint" root is treated as cache and REFUSED is sent. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.fantomas.sk%2F=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=Ptkbassm4yqO9YHpwHvKL7XC%2B0X9l9tRmKyWcdsw6PM%3D=0 Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. -- Visit https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=pGpLOzFdeNgqUHxCwPuiKUfPFTffOfcqcm6HQQEcuYg%3D=0 to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=abpXRElm5blZlXIcdRrRebQONm1d51pxuEcHCx4l2Po%3D=0 for more information. bind-users mailing list bind-users@lists.isc.org https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=pGpLOzFdeNgqUHxCwPuiKUfPFTffOfcqcm6HQQEcuYg%3D=0 ?? ? ?? ?? (? ) ?? ?? ?? ?, ?? ??? ? ?. ?? ? ??? ??? ?? ??? ?, ? ?? ?? ??? ?? ? ??? ? ??? ?? ? ??. ? ?? ?? ? ??? ??? ?? ? ??? ??? ?? ? ??? ? ? ? ?? ?? ?? , ?? ? ? ? ??? ?? ? ??? ? ?? ??? ??. ?? ??? ?? ?? ? ?, ??, ?? ?? ? ?? ??? ? ??? ? ?? , ?? ?? ? ? ??? ?? ??. Disclaimer This email (including any attachments) is intended only to be read and used by the addressee. It may contain confidential or legally privileged information, which is not waived if it is mistakenly delivered to you. If
Re: Bind dns amplification attack
On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote: Yes, this is one of the problem "authoritative zones for local use". On 28.03.23 12:18, Grant Taylor via bind-users wrote: Authorizing the /zone/ for local use wasn't the problem. The problem was that the world could get some of that zone's data from the query cache even if they couldn't query the zone directly. when was this? querying cache is by default allowed for the same clients as recursion, perhaps unless it was old BIND version. The default root "hint" zone is only available for those who have recursion available. I feel like the "root hint zone" is considerably different than "root zone" proper. The fact that they have different zone types seems to support that. yes. The content of hint zone is abused to generate aplification attack: Mar 26 16:03:53 fantomas named[1654]: client @0xe7379d50 195.88.25.138#59467 (.): query (cache) './ANY/IN' denied If you have local root zone, response is provided by default, it can be huge: % dig +noanswer +noadditional +nocomments +nocmd +noquestion -t any . @fantomas.fantomas.sk ;; Query time: 0 msec ;; SERVER: 195.80.174.185#53(195.80.174.185) ;; WHEN: Wed Mar 29 09:23:27 CEST 2023 ;; MSG SIZE rcvd: 2904 but default "type hint" root is treated as cache and REFUSED is sent. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote: Yes, this is one of the problem "authoritative zones for local use". Authorizing the /zone/ for local use wasn't the problem. The problem was that the world could get some of that zone's data from the query cache even if they couldn't query the zone directly. The default root "hint" zone is only available for those who have recursion available. I feel like the "root hint zone" is considerably different than "root zone" proper. The fact that they have different zone types seems to support that. ;-) I bring this up as this is something that I've stubbed my toe on and I would like it if others can avoid similarly stubbing their toes. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 3/28/23 10:48 AM, Matus UHLAR - fantomas wrote: If your server has authroritative zones for internal use, yes, in such case allow-query is good idea. On 28.03.23 11:02, Grant Taylor via bind-users wrote: The server that I first set this on had a secondary copy of the root zone for my systems use. I ended up adding additional restrictions to prevent the world from querying it in addition to the public zones that are allowed to be queried by the world. Yes, this is one of the problem "authoritative zones for local use". The default root "hint" zone is only available for those who have recursion available. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 3/28/23 10:48 AM, Matus UHLAR - fantomas wrote: If your server has authroritative zones for internal use, yes, in such case allow-query is good idea. The server that I first set this on had a secondary copy of the root zone for my systems use. I ended up adding additional restrictions to prevent the world from querying it in addition to the public zones that are allowed to be queried by the world. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 3/28/23 6:30 AM, Matus UHLAR - fantomas wrote:
Great, this means that only clients with those IP addresses can
query your server for non-local information.
On 28.03.23 10:16, Grant Taylor via bind-users wrote:
I used to think the same thing.
Then I learned that I needed to also add similar configuration for
`allow-query {...};` and `allow-query-cache {...};`
allow-query-cache defaults to content of allow-recursion if only the latter
is defined.
allow-query is safe to configure if nobody is supposed to query your server
from outside - e.g. your server does not provide authoritative zones for
use from internet.
If your server has authroritative zones for internal use, yes, in such case
allow-query is good idea.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 3/28/23 6:30 AM, Matus UHLAR - fantomas wrote:
Great, this means that only clients with those IP addresses can query
your server for non-local information.
I used to think the same thing.
Then I learned that I needed to also add similar configuration for
`allow-query {...};` and `allow-query-cache {...};`
The `allow-query-cache {...};` actually bit me because people were able
to get the result of recursion if it was in the cache.
allow-recursion { recclients; };
allow-query { recclients; };
allow-query-cache { recclients; };
Something to consider.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 28. 03. 23 14:30, Matus UHLAR - fantomas wrote:
On 28.03.23 18:48, Nyamkhand Buluukhuu wrote:
Like below in named.conf:
acl recclients {
43.228.128.2/32;
202.70.32.17/32;
103.29.147.0/29;
103.99.103.0/24; }
allow-recursion { recclients; };
Great, this means that only clients with those IP addresses can query
your server for non-local information.
So, your server should NOT be part of Amplification attack.
That would indeed suggest that the attack is coming from inside,
assuming the source IP address really is what it pretends to be (i.e.,
packets are indeed coming from your internal network and do not have
spoofed source IP).
Once you have confirmation the only thing left is to determine
infected/misbehaving client machines and clean it up locally.
Hopefully it helps a bit to narrow the area you have to search.
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 28.03.23 18:48, Nyamkhand Buluukhuu wrote:
Like below in named.conf:
acl recclients {
43.228.128.2/32;
202.70.32.17/32;
103.29.147.0/29;
103.99.103.0/24; }
allow-recursion { recclients; };
Great, this means that only clients with those IP addresses can query
your server for non-local information.
So, your server should NOT be part of Amplification attack.
(unless you run VERY OLD version of BIND)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
More likely, it’s a malware used to do a targeted attack rather than insecure routers. Also why not both? ;) Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 28. 3. 2023, at 10:44, Borja Marcos wrote: > > > >> On 28 Mar 2023, at 09:33, Nyamkhand Buluukhuu wrote: >> >> Hello, >> >> We are having slowly increasing dns requests from our customer zones all >> asking mXX.krebson.ru. I think this is a DNS amplification attack. >> And source zones/IP addresses are different but sending same requests like >> below. > > I wonder, maybe some of your customers have open recursive DNS servers > themselves? Some brands of routers > are unfortunately easy to misconfigure. > > I must play whack-a-mole now and then. > > > > > Borja. > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
> On 28 Mar 2023, at 09:33, Nyamkhand Buluukhuu wrote: > > Hello, > > We are having slowly increasing dns requests from our customer zones all > asking mXX.krebson.ru. I think this is a DNS amplification attack. > And source zones/IP addresses are different but sending same requests like > below. I wonder, maybe some of your customers have open recursive DNS servers themselves? Some brands of routers are unfortunately easy to misconfigure. I must play whack-a-mole now and then. Borja. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 28.03.23 16:04, Nyamkhand Buluukhuu wrote: No, I have an access list that allows only our ISP zones. zones? access lists are meant to limit clients. how do your access limits look like? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
Hi, No, I have an access list that allows only our ISP zones. BR, Nyamka From: m...@at.encryp.ch Sent: Tuesday, March 28, 2023 3:40 PM To: Nyamkhand Buluukhuu ; bind-users@lists.isc.org Subject: Re: Bind dns amplification attack Are you an open recursor? If the answer is no, you should not face any amplifications attacks. If you are an open recursor, the best solution is to restrict which IP addresses are allowed to access your recursor. ?? ? ?? ?? (? ) ?? ?? ?? ?, ?? ??? ? ?. ?? ? ??? ??? ?? ??? ?, ? ?? ?? ??? ?? ? ??? ? ??? ?? ? ??. ? ?? ?? ? ??? ??? ?? ? ??? ??? ?? ? ??? ? ? ? ?? ?? ?? , ?? ? ? ? ??? ?? ? ??? ? ?? ??? ??. ?? ??? ?? ?? ? ?, ??, ?? ?? ? ?? ??? ? ??? ? ?? , ?? ?? ? ? ??? ?? ??. Disclaimer This email (including any attachments) is intended only to be read and used by the addressee. It may contain confidential or legally privileged information, which is not waived if it is mistakenly delivered to you. If you are not the intended recipient, please immediately notify the sender by return email and delete both messages from your system; any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
Are you an open recursor? If the answer is no, you should not face any amplifications attacks. If you are an open recursor, the best solution is to restrict which IP addresses are allowed to access your recursor. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
