一例bind dns网络流量攻击处理
2014-08-10 21:49:51 
阿炯
具体表现:服务器收到大量的解析请求,要求查询相关域下的所有信息(大部分),这是一种常见的代理请求攻击,发起人往往是受害人。即dns服务器在收到发起人的查询请求时,通常这些所谓的发起来源ip是伪造的,它们是攻击者想要攻击的ip地址;而这些查询基本是针对某一域全量的查询,数量和带宽都是不小的。这样在dns服务器与爱害人之间就通过udp协议制造了大量的流量,从而到达了攻击的目的。
在处理过程中,可以通过如下方法来防止。
通过iptables方法不是能有效的解决,因为这些请求过来的ip很有可能是伪造的。
Maybe someone is just playing with a script or posted some example code using your DNS server as a reference on some chineese forum or it's just a bot trying to make recursive queries about some domains (you should check tat on BIND conf file in the logging section http://www.zytrax.com/books/dns/ch7/logging.html just by inspecting what kind of queries they are doing) Given the low amount of requests (i hope your DNS infrastucture can survive with that!) you have 2 possibilities:
1 - Block the IP addresses all together (check http://www.find-ip-address.org/ip-country/ )
2 - Limit the number of connections to 3 per second per IP using iptables
iptables -A INPUT -s ipaddress -p udp --dport 53 -m limit --limit 3/s -j ACCEPT
iptables -A INPUT -s ipaddress -p udp --dport 53 -j DROP
Note that limiting the concurrent connections, may cause some issues if you apply this for any IP address, as legitimate queries of legitimate clients will timeout, slowing down the browsing speed of any client/server using your DNS...
除开以iptables来对请求的速率进行限制外,还可以调用fail2ban工具来对请求量过大的ip地址进行封锁。
Blocking a DNS DDOS using the fail2ban
Protection against isc.org any attack – dns attack isc.org any query
ISC.ORG any ATTACK - dns attack isc.org any query
An attack on udp port 53 is spreading around these days (isc.org any query attack) Attack is like this:
Attacker sends a small udp packet using victims ip as source to nameservers around the internet. Packet contains a dns query like .. "send me all info about the domain isc.org". The dns server replies to the real victim with a large packet containing all info about isc.org" . This looks easy.. but attacker sends this query to many servers at once and they all reply to the real victim.
使用tcpdump工具来进行流量分析
isc.org any attack from tcpdump:
23:19:15.165596 IP x.x.x.x.7185 > yourdnsserver.53: 13442+ [1au] ANY? isc.org. (37)
开启bind dns服务器日志,从日志中分析攻击的来源和行为。
bind logs :
20:28:00.643 client x.x.x.x#49046: query: isc.org IN ANY +ED (x.x.x.x)
If you see this in your logs keep in mind that you are not the victim; x.x.x.x is the victim! and your server will reply to x.x.x.x.
Here's why this attackers use isc.org query / isc.org any attack :
# dig @8.8.8.8 freeoa.net any | grep SIZE
;; MSG SIZE rcvd: 337
# dig @8.8.8.8 isc.org any | grep SIZE
;; MSG SIZE rcvd: 2999
reply from 8.8.8.8 (google public dns server) when asked about isc.org is large
How it works isc.org any attack - dns attack isc.org any query
Attacker assumes:
1. he can send fake packets (using victims ip as source); this is possible because internet works by destination routing. (packets are sent to their destination without checking their source); some ISPs protect against this by checking that their clients are sending packets only using their asigned ip addresses (reverse path filtering); … still, there are many ISPs out there that dont dont use this filtering and will pass spoofed packets towards their destination;
2. he can find open dns servers; dns servers that will reply to any query to anyone that asks; and there are many like this on the internet; (soho routers; dns servers with default configurations ... etc);
Both conditions are easy to match today. It's only a matter of size: if someone has enough hosts to send these packets from (infected windows machines, hacked servers etc..) … anything can happen
How to protect against isc.org any attack - dns attack isc.org any query
Protect your dns server against isc.org any attack
Step 1 to protect against isc.org any attack
THIS IS A MUST: configure your dns NOT to accept resolution requests from unauthorized IPs.. if possible, when caching-only dns.. block udp port 53 from unauthorized IPs towards your server from firewall;
in bind:
named.conf:
include "/etc/namedb/acl.conf";
option in named.conf:
allow-query {"our-networks";};
allow-transfer {"transferip";};
in acl.conf:
acl "our-networks" {
127.0.0.1/32;
network1/x;
network2/x;
};
acl "transferip" {
127.0.0.1/32;
x.x.x.x./32;
y.y.y.y/32;
};
Step 2 to protect against isc.org any attack
If only few sources try to find where these packets are coming from and block them there..
Step 3 to protect against isc.org any attack
limit udp port 53 on your server:
something like this i guess:
iptables -A INPUT -p udp -m connlimit –connlimit-above xx -j DROP
this might have impact: maybe clients are forwarding dns requests to your ns and regular queries will not work right;
Step 4 to protect against isc.org any attack
iptables can do:
iptables -A INPUT -p udp -m string –hex-string "|03697363036f726700|" –algo bm –to 65535 -j DROP
which would match that exact query;
or you could try to find out the exact size of the packet (use wireshark) used for this attack and then block it(对包大小进行阻止):
iptables -I INPUT -p udp –dport 53 -m length –length xx -j DROP
如果你的dns服务器不是开放查询的公共dns,仅对自有域开放查询,因此关闭dns递归查询,拒绝对第三方的域名代理查询也可以很好的减少攻击的流量。但如果有其它机器以此dns服务器为解析源的话,对其它域名的解析就无法进行了。这里推荐使用Dnsmasq,配置使它侦听在内网,让它为内网的服务器提供解析服务,快且安全。