DNS amplification attack and mitigation efforts

[BigLebowski]

Hi there

Like many others on here I suspect, we allow recursive dns queries, which is the default cpanel install situation (with Bind, anyway). Recently we've noticed our outbound traffic ramp and are receiving double bandwidth charges from our suppliers. Today I noticed high outbound on a box and using tcpdump identified what I believe to be a dns amplification attack.

How do we turn off recursion in WHM and whitelist our own hosts which refer to each other in /etc/resolv.conf ?
Must this be done in named.conf as I suspect, since I can't find any settings to adjust in WHM.

It's important that the server continues to return dns lookups for the domains for which it is authoritative. Presumably turning off recursion doesn't interfere with this?

For those interested, I post a few tcpdump logs so you too can check to see if you're affected:

14:30:03.210460 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210482 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210503 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210525 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210547 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)

{times hundreds of entries}

Interestingly, dropping static-ip-69-64-33-192.inaddr.ip-pool.com in the firewall rules has no affect. And anyway, loads more hosts are also targeted.

Best
Dude

 

[quizknows]

Edit named.conf and add the options to restrict recursion.

Configuring a BIND DNS Server

something like this in named.conf would be fine:

acl "trusted" {
localhost;
192.168.0.0/16;
};

options {
allow-recursion { trusted; };
};

(you may have an options section already, if so, just add the allow-recursion line inside of that section)

You are correct, this will have no negative impact on the named server responding to queries for domains for which it is authoritative. You can normally use 'none' instead of 'trusted' as long as it's not a DNS cluster and the box has an external resolver (i.e. not localhost) in /etc/resolv.conf. My named server has recursion set to none, and it's fine for authoritative queries.

 

[BigLebowski]

Thanks m8.

Cpanel told me today that the default BIND install is recursion OFF but this does not appear to be the case. I've got 30 or more named.confs to edit!

Best
Dude

 

[BigLebowski]

Another question, I've added:

allow-recursion {
127.0.0.1;
195.238.munged.1;
195.238.munged.2;
};

where "munged.1" and "munged.2" are the main primary and secondary IPs of the host (webserver) and it's two nameservers. A dig at the host now shows that RA is disabled. But the attack seems to be continuing albeit the outbound has dropped a bit. Do I need to remove those two IPs and leave just 127.0.0.1 in place?

Best
Dude

- - - Updated - - -

Also, do I have to add IPs to the "allow recursion" list for any other local host that lists this host in /etc/resolv.conf?

Best
Dude

 

[quizknows]

You need to use an ACL for the allow-recursion option. You'd need:

acl "trusted" {
127.0.0.1;
195.238.munged.1;
195.238.munged.2;
};

options {
allow-recursion { trusted; };
};