DNS flooding 'ANY' requests

[chatwizrd]

Does anyone have any ideas on how I can mitigate a ton attempted DDoS against my DNS servers? I am getting blasted with ANY requests. We have disabled recursive DNS but the attempts are still pushing around 1 Mbps. Is there any way to rate limit the connections with the pf firewall software?

I have tried something like this in pf but it doesn't seem to help at all.

table <bruteforce_dns> persist
pass quick on em0 proto { tcp,udp } to port 53 \
        keep state (max-src-conn 10, max-src-conn-rate 10/5, \
                overload <bruteforce_dns> flush global)

Attempts:

10:28:02.931789 IP 77.247.183.137.49663 > 192.168.0.2.53: 17953+ [1au] ANY? ietf.org. (37)
10:28:02.931798 IP 85.159.232.241.34529 > 192.168.0.2.53: 30437+ [1au] ANY? ietf.org. (37)
10:28:02.931806 IP 208.64.126.195.46173 > 192.168.0.2.53: 45784+ [1au] ANY? ietf.org. (37)
10:28:02.931849 IP 77.247.183.137.62174 > 192.168.0.2.53: 59751+ [1au] ANY? ietf.org. (37)
10:28:02.940345 IP 208.64.126.195.38861 > 192.168.0.2.53: 44980+ [1au] ANY? ietf.org. (37)
10:28:02.940373 IP 85.159.232.241.12667 > 192.168.0.2.53: 47945+ [1au] ANY? ietf.org. (37)

 

[kpa]

You need to have a block rule before the pass rule:

block in quick on em0 from <bruteforce_dns> to any

 

[chatwizrd]

You need to have a block rule before the pass rule:

block in quick on em0 from <bruteforce_dns> to any

Seems to help some now.

Thanks

 

[Anonymous]

Is it really necessary, that your DNS server is visible to the outside? Usually, I set up recursive name servers that listen only on the loopback address and on the LAN. If you don't need any WAN access to your name server, then you would edit the listen-on directive in /var/named/etc/namedb/named.conf:

...
        listen-on       { 127.0.0.1; 192.168.x.y; };
...

Without that, you are operating an open name server, which isn't that good for a number of reasons, for example see http://www.us-cert.gov/ncas/alerts/TA13-088A.

 

[kpa]

I think this is an authoritative server for a domain because the OP said " We have disabled recursive DNS". Without some rate limiting your server will still react to all the requests when it sends back recursion not allowed errors.

 

[chatwizrd]

Does anyone know of a way to patch in response rate limiting into the bind that comes in the source code of FreeBSD? If not I could always install a newer version from ports. There are some patches on this site, but it doesn't look like they have the version of bind I am using "BIND 9.8.3-P4".

By the way we were doing recursive lookups for customers of ours, but since the attacks have just disabled it because it has become a hassle.

 

[Anonymous]

My guess is, that the actual targets of the DDoS are not your servers, but your servers are only being made taking part on DNS amplification attacks to a third party.

If my guess is correct, you would see a huge number of requests but apparently coming only from a few requesters at a time, and it may be viable to add these addresses to the ACL of bind. In the global options{} of /var/named/etc/namedb/named.conf you could perhaps maintain something like the following:

...
    blackhole { 77.247.183.137; 85.159.232.241; 208.64.126.195; };
...

DNS amplification attacks to hundreds of different targets at the same time would be somehow pointless, so for sure there would be a focus to a handful of targets at the same time. And of course it is some work to maintain the blackhole, but it shouldn't be too troublesome.