Saturday, January 21, 2017

DNS Amplification Attacks On Open Recursive DNS Server Running dnsmasq

I run public ad-blocking and malware/ransomware-safe recursive DNS servers for the benefit of anyone wanting to use them. These DNS servers are available at the IP addresses 64.137.248.161, 64.137.248.212 and 64.137.228.122.

I use dnsmasq with domain blacklists to block advertising, malware and ransomware URLs for clients using these DNS servers. Since they are open to the internet for public access, it did not take long for weirdos to use them for DNS amplification attacks on these servers. Here is an example of a rather hilarious DNS amplification attack logged by one of the virtual cloud servers I maintain, on new year's day of 2017, possibly originating from a virtual private server sold by Phoenix, Arizona based Nobis Technology Group now owned by LeaseWeb according to their web-site. I cannot but smile on whoever set up the DNS responder for enlansg,com.

Jan  1 07:03:05 wbri dnsmasq[23937]: query[ANY] enlansg.com from 23.82.61.2
...
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is After working his way through college with the help of scholarships and student loans, Preside
nt Obama moved to Chicago, where he worked with a group of churches to help rebuild communities devastated by the closure of local steel plants.
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is After working his way through college with the help of scholarships and student loans, Preside
nt Obama moved to Chicago, where he worked with a group of churches to helpff4
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is President Obama's years of public service are based around his unwavering belief in the abilit
y to unite people around a politics of purpose. In the Illinois State Senate, he passed the first major ethics reform in 25 years, cut taxes for working
 families
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is , and expanded health care for children and their parents. As a United States Senator
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is Aft3er working his way through college with the help of scholarships and student loans, Presid
ent Obama moved to Chicago, where he worked with a group of churches to help
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is With a father from Kenya and a mother from Kansas, President Obama was born in Hawaii on Augus
t 4, 1961. He was raised with help from his grandfather
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is After working his way through college with the help of scholarships and student loans, Preside
nt Obama moved to Chicago, where he worked with a group o45f churches to help
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is he reached across the aisle to pass groundbreaking lobbying reform, lock up the world's most d
angerous weapons, and bring transparency to government by putting federal spending online.
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is President Obama's years of public service are based around his unwavering belief in the abilit
y to unite people around a politics of purpose. In the Illinois State Senate, he passed the first major ethics reform in 25 years, cut taxes for working
 families
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is , and expanded health care for children and their parents. As a United States Senator, he reac
hed across the aisle to pass groundbreaking lobbying reform, lock up the world's most dangerous weapons, and bring transparency to government by putting
 federal
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is spending online.
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is Aft1er working his way through college with the help of scholarships and student loans, Presid
ent Obama moved to Chicago, where he worked with a group of churches to help
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is After working his way through college with the help of scholarships and student loans, Preside
nt Obama moved to Chicago, where he worked with a group of churches to help3
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is he reached across the aisle to pass groundbreaking lobbying reform, lock up the world's
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is After working his way through college with the help of scholarships and student loans, Preside
nt Obama moved to Chicago, where he worked with a group of churches to helpff
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is After working his way through college with the help of scholarships and student loans, Preside
nt Obama moved to Chicago, where he worked with a g2roup of churches to help
Jan  1 07:03:05 wbri dnsmasq[23937]: reply enlansg.com is After working his way through college with the help of scholarships and student loans, Preside
nt Obama moved to Chicago, where he worked with a group of churches to help

Jan  1 07:38:17 yiradio dnsmasq[1184]: query[ANY] enlansg.com from 23.82.61.2

However, there indeed are much more sinister attackers out there, like this one originating from a source that GeoIPs to Telecom Italia, using my servers as amplifiers to attack root DNS servers and the Western Area Power Administration of the United States Government - "one of four power marketing administrations within the U.S. Department of Energy", at rates over 20 queries per second:

Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:41 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:42 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:47:42 wbri dnsmasq[23937]: query[ANY] . from 195.22.214.65
Jan  1 09:52:16 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:16 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:16 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65
Jan  1 09:52:17 wbri dnsmasq[23937]: query[ANY] wapa.gov from 195.22.214.65

So the question is what do I do about it. There is a lot of advice on the internet on why I should not run a open recursive DNS resolver in the first place, but that is exactly what I want to do. The next best thing would be to try to handle automated floods of queries, which brought me to a nice little post by Matteo CastelliBlocking DNS Amplification attacks.

How many DNS queries is it normal for a web-browser to send out for an average web page? Over 20 seems to me to be unlikely, especially for a caching server like dnsmasq. Based on a pure gut feeling, with no scientific analysis whatsoever, I decided 10 is a good number.

Following Matteo's work, I replaced the line that allows DNS requests in my CentOS 7 iptables configuration file /etc/sysconfig/iptables to limit the number of queries per second. 

# -- OLD -- -A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m limit --limit 10/sec -j LOG --log-prefix "fw-dns " --log-level 7

This takes effect on reboot. To update the rule dynamically on a running system, I usually use iptables-save > tempfile, edit tempfile and then iptables-restore < tempfile.

This firewall tweak hopefully allows reasonable use of my open recursive DNS resolvers by web browsers while limiting damage by amplification attackers. If this is not enough, I will configure fail2ban also as recommended by Matteo. I am open to other ideas as long as they do not call for me to not run an internet-facing resolver.


No comments:

Post a Comment

"SEO" link builders: move on, your spam link will not get posted.

Note: Only a member of this blog may post a comment.