A DNS amplification attack

Late last night, someone began using my home Internet connection in DNS amplification attacks. My Virgin Media cable link was hit with several megabit of “ANY record” DNS queries for ripe.net.

IPs have been changed to protect the innocent.

 10   0.004841 23.20.43.112 -> 192.168.1.1 DNS Standard query ANY ripe.net
 11   0.004930 192.168.1.1 -> 194.168.8.100 DNS Standard query ANY ripe.net
 12   0.005479 194.168.8.100 -> 192.168.1.1 DNS Standard query response DNSKEY DNSKEY DNSKEY DNSKEY RRSIG A 193.0.6.139 RRSIG NS sec3.apnic.net NS sec1.apnic.net NS ns3.nic.fr NS sns-pb.isc.org NS pri.authdns.ripe.net NS tinnie.arin.net RRSIG SOA pri.authdns.ripe.net RRSIG NSEC 256cns.ripe.net RRSIG
 13   0.006017 192.168.1.1 -> 23.20.43.112 DNS Standard query response DNSKEY DNSKEY DNSKEY DNSKEY RRSIG A 193.0.6.139 RRSIG NS sec3.apnic.net NS sec1.apnic.net NS ns3.nic.fr NS sns-pb.isc.org NS pri.authdns.ripe.net NS tinnie.arin.net RRSIG SOA pri.authdns.ripe.net RRSIG NSEC 256cns.ripe.net RRSIG

Unfortunately my router’s DNS server then ran the recursive lookup, which caused at least one megabit of sent queries, and raised the total received traffic volume to 10 mbit. It seems that DNS amplification attacks against non-root DNS servers causes as much harm to the intermediate DNS resolver as to the victim.

Somehow the firewall on my OpenWRT router was allowing all incoming traffic to the router itself, even from the outside. I fixed that, and the traffic volume dropped off to just the original 1 mbit of queries.

I assume the script kiddies will let up eventually. If they don’t, I’ll have to deal with Virgin Media tech support. Would someone there kindly change the public IP address of cable modem 00:14:A4:97:5B:FA?

Tags: , ,

  1. Richard’s avatar

    How did you fix the problem as i have the same thing going on right now and I need some help.

    Reply

    1. Tyler Wagner’s avatar

      I didn’t bother with Virgin Media tech support. I wouldn’t have gotten past level 1 without blowing my stack. “Sir, please open Network Settings and press refresh … GRAAAAAAA! HULK SMASH!”

      What I did was correct my firewall so it didn’t let inbound DNS queries through, and also blocked the 15 or so IP addresses responsible for the attack completely (so no ping either). After another day of 1 mbit of traffic, they gave up.

      Reply

      1. Richard’s avatar

        Ok i gathered there IP’s from a wireshark capture I did after plugging into the modem. So I just block port 53 inbond from the WAN along with there ip’s?

        Reply

        1. Tyler Wagner’s avatar

          Yes, that’s correct. You also contacted me via the contact form to ask:

          “Hi I was wanting to know if you could help some more? I have put some changes to my rules in my firewall that stop the traffic coming though my router however I am still being heavily pingged by the people in question thye just don’t give up. I was wanting to know if you could look over my rules and see what I can do to further tighten up my firewall.”

          I’m happy to help, I just prefer to do it here where others can potentially find it.

          Consider blocking any inbound traffic, including ICMP, that isn’t related to outbound traffic. In iptables form, that means something like the following. Assume that eth1 is the LAN and eth0 is the WAN.

          iptables -A INPUT -i lo -j ACCEPT
          iptables -A INPUT -i eth1 -j ACCEPT
          iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
          iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
          iptables -j DROP

          This only protects the router itself, and has no effect on traffic forwarded through it. For a normal NAT router, this is what you want.

          In more generic rules, you want something like:

          ALLOW from LAN, myself
          ALLOW established traffic from WAN
          DROP all else

          Reply

        2. Richard’s avatar

          Thanks for the firewall rules I tried to add in some settings I found from this link here along with your rules https://groups.google.com/forum/#!topic/ptp-ops/RIYo2j0dPMI

          With your rules seems to be keeping the traffic out my question is how long did you keep getting pinged etc? At least its not passing thought my router now which is the main thing I wanted to know how long it took for them to give up as I am still getting pinged / traffic , when I plug in an my old DG814 netgear ASDL one modem / router and traffic stops after half an hour. However with my open-wrt router the attack counties and still hasn’t stopped.
          So to summarize

          1. Your rules work at stopping this traffic
          2. The link from google groups doesn’t seem to be of much help.
          3. I am still being targeted by the botnet /script kidies how long will this last for?
          4. Should I inform my isp?
          5. What do you use to log your packets with?

          Reply

          1. Tyler Wagner’s avatar

            1. Great!
            2. It should do the same thing as my rules – it stops external DNS (53/udp) from coming in the WAN.
            3. I can’t say. They did it to me for several days once.
            4. Sure, if you think tech support can help. If they change your public IP the problem should go away.
            5. I either use the iptables LOG target (rarely) or tcpdump on the router (all the time). I don’t leave either running for long.

            Reply

Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.