The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS amplification attack and mitigation efforts

Discussion in 'Security' started by BigLebowski, Apr 12, 2013.

  1. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi there

    Like many others on here I suspect, we allow recursive dns queries, which is the default cpanel install situation (with Bind, anyway). Recently we've noticed our outbound traffic ramp and are receiving double bandwidth charges from our suppliers. Today I noticed high outbound on a box and using tcpdump identified what I believe to be a dns amplification attack.

    How do we turn off recursion in WHM and whitelist our own hosts which refer to each other in /etc/resolv.conf ?
    Must this be done in named.conf as I suspect, since I can't find any settings to adjust in WHM.

    It's important that the server continues to return dns lookups for the domains for which it is authoritative. Presumably turning off recursion doesn't interfere with this?

    For those interested, I post a few tcpdump logs so you too can check to see if you're affected:

    14:30:03.210460 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
    14:30:03.210482 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
    14:30:03.210503 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
    14:30:03.210525 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
    14:30:03.210547 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)

    {times hundreds of entries}

    Interestingly, dropping static-ip-69-64-33-192.inaddr.ip-pool.com in the firewall rules has no affect. And anyway, loads more hosts are also targeted.

    Best
    Dude
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Edit named.conf and add the options to restrict recursion.

    Configuring a BIND DNS Server

    something like this in named.conf would be fine:

    acl "trusted" {
    localhost;
    192.168.0.0/16;
    };

    options {
    allow-recursion { trusted; };
    };

    (you may have an options section already, if so, just add the allow-recursion line inside of that section)

    You are correct, this will have no negative impact on the named server responding to queries for domains for which it is authoritative. You can normally use 'none' instead of 'trusted' as long as it's not a DNS cluster and the box has an external resolver (i.e. not localhost) in /etc/resolv.conf. My named server has recursion set to none, and it's fine for authoritative queries.
     
    #2 quizknows, Apr 12, 2013
    Last edited: Apr 12, 2013
  3. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Thanks m8.

    Cpanel told me today that the default BIND install is recursion OFF but this does not appear to be the case. I've got 30 or more named.confs to edit! :)

    Best
    Dude
     
  4. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Another question, I've added:

    allow-recursion {
    127.0.0.1;
    195.238.munged.1;
    195.238.munged.2;
    };

    where "munged.1" and "munged.2" are the main primary and secondary IPs of the host (webserver) and it's two nameservers. A dig at the host now shows that RA is disabled. But the attack seems to be continuing albeit the outbound has dropped a bit. Do I need to remove those two IPs and leave just 127.0.0.1 in place?

    Best
    Dude

    - - - Updated - - -

    Also, do I have to add IPs to the "allow recursion" list for any other local host that lists this host in /etc/resolv.conf?

    Best
    Dude
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You need to use an ACL for the allow-recursion option. You'd need:

    acl "trusted" {
    127.0.0.1;
    195.238.munged.1;
    195.238.munged.2;
    };

    options {
    allow-recursion { trusted; };
    };
     
Loading...

Share This Page