The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to prevent an on-going DNS reflection attack?

Discussion in 'Security' started by jols, Sep 22, 2012.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    We are serving DNS from this server. Running WHM 11.32.4 (build 15).

    Our /var/log/messages is full of entries like this:

    Sep 22 04:52:05 apogee named[32381]: client 62.6.40.178#48758: view external: query (cache) 'homefarmland.com/MX/IN' denied
    Sep 22 04:52:06 apogee named[32381]: client 24.197.239.154#52579: view external: query (cache) 'homefarmland.com/MX/IN' denied
    Sep 22 04:52:07 apogee named[32381]: client 74.125.181.25#65069: view external: query (cache) 'stevengoodphoto.com/A/IN' denied
    Sep 22 04:52:07 apogee named[32381]: client 74.125.17.91#52658: view external: query (cache) 'stevengoodphoto.com/A/IN' denied
    Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#37547: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
    Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#33757: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
    Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#29783: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
    Sep 22 04:52:08 apogee named[32381]: client 84.14.138.206#44995: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
    Sep 22 04:52:08 apogee named[32381]: client 173.203.4.49#26700: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:09 apogee named[32381]: client 173.203.4.49#42211: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:09 apogee named[32381]: client 173.203.4.48#33108: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:09 apogee named[32381]: client 173.203.4.48#33796: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:09 apogee named[32381]: client 173.203.4.46#42156: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:09 apogee named[32381]: client 173.203.4.46#23844: view external: query (cache) 'charleslthomas.com/MX/IN' denied
    Sep 22 04:52:10 apogee named[32381]: client 150.70.64.50#24021: view external: query (cache) 'servicemanagementart.ca/AAAA/IN' denied
    Sep 22 04:52:11 apogee named[32381]: client 192.94.94.26#12494: view external: query (cache) 'homefarmland.com/MX/IN' denied
    Sep 22 04:52:11 apogee named[32381]: client 199.21.99.69#5335: view external: query (cache) 'luxuryskinstore.com/A/IN' denied
    Sep 22 04:52:13 apogee named[32381]: client 192.94.94.27#51031: view external: query (cache) 'homefarmland.com/MX/IN' denied
    Sep 22 04:52:16 apogee named[32381]: client 192.94.94.26#56678: view external: query (cache) 'homefarmland.com/MX/IN' denied
    Sep 22 04:52:16 apogee named[32381]: client 87.236.197.113#26156: view external: query (cache) 'homefarmland.com/A/IN' denied

    I believe the attacker may be using our server as a reflection attack by hitting our DNS services this way. But in any case, this seems to be senselessly adding 4 to 8 to the load average of this server, 24 hours per day.

    We've got all the standard security configs in named.conf but I have not switched off allow-recursion { trusted; }; yet, and recursion yes; is still (set to yes) further down the list. I have heard that when this is done it can interfere with some scripts, particularly those involved with cc APIs, and so on.

    Currently I've got a shell script that runs every 20 seconds, tailing the last 30 log entries in /var/named/data/named.run it looks for log entries containg the word "denied" then blocks the IPs via /etc/csf/csf.pl -d . But the attacking IPs are seemingly endless. So this is doing next-to-no-good as far as I can tell.

    Advice anyone?

    Thanks very much!
     
  2. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    More detail for my named.conf settings:

    In

    view "external" {

    Recursion is set to "no".

    In

    view "localhost_resolver" {

    Recursion is set to "yes"

    In

    view "internal" {

    Recursion is set to "yes"


    So could these just be attempts that are essentially not sending responses out, and are truly being denied? If so, then how the heck can I prevent logging for this stuff?
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
Loading...

Share This Page