Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to prevent an on-going DNS reflection attack?

Discussion in 'Security' started by jols, Sep 22, 2012.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    3
    Trophy Points:
    168
    We are serving DNS from this server. Running WHM 11.32.4 (build 15).

    Our /var/log/messages is full of entries like this:

    Sep 22 04:52:05 apogee named[32381]: client 62.6.40.178#48758: view external: query (cache) 'homefarmland.com/MX/IN' denied
    Sep 22 04:52:06 apogee named[32381]: client 24.197.239.154#52579: view external: query (cache) 'homefarmland.com/MX/IN' denied
    Sep 22 04:52:07 apogee named[32381]: client 74.125.181.25#65069: view external: query (cache) 'stevengoodphoto.com/A/IN' denied
    Sep 22 04:52:07 apogee named[32381]: client 74.125.17.91#52658: view external: query (cache) 'stevengoodphoto.com/A/IN' denied
    Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#37547: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
    Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#33757: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
    Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#29783: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
    Sep 22 04:52:08 apogee named[32381]: client 84.14.138.206#44995: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
    Sep 22 04:52:08 apogee named[32381]: client 173.203.4.49#26700: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:09 apogee named[32381]: client 173.203.4.49#42211: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:09 apogee named[32381]: client 173.203.4.48#33108: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:09 apogee named[32381]: client 173.203.4.48#33796: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:09 apogee named[32381]: client 173.203.4.46#42156: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:09 apogee named[32381]: client 173.203.4.46#23844: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:10 apogee named[32381]: client 150.70.64.50#24021: view external: query (cache) 'servicemanagementart.ca/AAAA/IN' denied
    Sep 22 04:52:11 apogee named[32381]: client 192.94.94.26#12494: view external: query (cache) 'homefarmland.com/MX/IN' denied
    Sep 22 04:52:11 apogee named[32381]: client 199.21.99.69#5335: view external: query (cache) 'luxuryskinstore.com/A/IN' denied
    Sep 22 04:52:13 apogee named[32381]: client 192.94.94.27#51031: view external: query (cache) 'homefarmland.com/MX/IN' denied
    Sep 22 04:52:16 apogee named[32381]: client 192.94.94.26#56678: view external: query (cache) 'homefarmland.com/MX/IN' denied
    Sep 22 04:52:16 apogee named[32381]: client 87.236.197.113#26156: view external: query (cache) 'homefarmland.com/A/IN' denied

    I believe the attacker may be using our server as a reflection attack by hitting our DNS services this way. But in any case, this seems to be senselessly adding 4 to 8 to the load average of this server, 24 hours per day.

    We've got all the standard security configs in named.conf but I have not switched off allow-recursion { trusted; }; yet, and recursion yes; is still (set to yes) further down the list. I have heard that when this is done it can interfere with some scripts, particularly those involved with cc APIs, and so on.

    Currently I've got a shell script that runs every 20 seconds, tailing the last 30 log entries in /var/named/data/named.run it looks for log entries containg the word "denied" then blocks the IPs via /etc/csf/csf.pl -d . But the attacking IPs are seemingly endless. So this is doing next-to-no-good as far as I can tell.

    Advice anyone?

    Thanks very much!
     
  2. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    3
    Trophy Points:
    168
    More detail for my named.conf settings:

    In

    view "external" {

    Recursion is set to "no".

    In

    view "localhost_resolver" {

    Recursion is set to "yes"

    In

    view "internal" {

    Recursion is set to "yes"


    So could these just be attempts that are essentially not sending responses out, and are truly being denied? If so, then how the heck can I prevent logging for this stuff?
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    3
    Trophy Points:
    168
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice