How to protect against isc.org any query attack?
2013-05-28An attack on udp port 53 is spreading around these days (isc.org any query attack).
Attack is like this: Attacker sends a small udp packet using victims ip as source to nameservers around the internet. Packet contains a dns query like .. "send me all info about the domain isc.org". The dns server replies to the real victim with a large packet containing all info about isc.org" . This looks easy.. but attacker sends this query to many servers at once and they all reply to the real victim.
1, isc.org any attack from tcpdump:
23:19:15.165596 IP x.x.x.x.7185 > yourdnsserver.53: 13442+ [1au] ANY? isc.org. (37)
19:09:25.536853 IP ip.25345 > ip.53: 10809+ [1au] ANY? isc.org. (36)
19:09:25.611423 IP ip.64528 > ip.53: 4208+ [1au] ANY? ripe.net. (49)
2, bind logs :
20:28:00.643 client x.x.x.x#49046: query: isc.org IN ANY +ED (x.x.x.x)
3, Here's why this attackers use isc.org query / isc.org any attack :
# dig @8.8.8.8 yahoo.com any | grep SIZE
;; MSG SIZE rcvd: 337
# dig @8.8.8.8 isc.org any | grep SIZE
;; MSG SIZE rcvd: 3054
# dig @8.8.8.8 ripe.net any | grep SIZE
;; MSG SIZE rcvd: 2498
reply from 8.8.8.8/8.8.4.4 (google public dns server) when asked about isc.org is large
4, How it works isc.org any attack - dns attack isc.org any query
Attacker assumes:
1). he can send fake packets (using victims ip as source); this is possible because internet works by destination routing.. (packets are sent to their destination without checking their source); some ISPs protect against this by checking that their clients are sending packets only using their asigned ip addresses (reverse path filtering); … still, there are many ISPs out there that dont dont use this filtering and will pass spoofed packets towards their destination;
2). he can find open dns servers; dns servers that will reply to any query to anyone that asks; and there are many like this on the internet; (soho routers; dns servers with default configurations .. etc);
Both conditions are easy to match today. It's only a matter of size: if someone has enough hosts to send these packets from (infected windows machines, hacked servers etc..) … anything can happen
5、Protect your dns server against isc.org any attack
Step 1 to protect against isc.org any attack
THIS IS A MUST: configure your dns NOT to accept resolution requests from unauthorized IPs.. if possible, when caching-only dns.. block udp port 53 from unauthorized IPs towards your server from firewall;
in bind:named.conf:
include "/etc/namedb/acl.conf";
option in named.conf:
allow-query {"our-networks";};
allow-transfer {"transferip";};
in acl.conf:
acl "our-networks" {
127.0.0.1/32;
network1/x;
network2/x;
};
acl "transferip" {
127.0.0.1/32;
x.x.x.x./32;
y.y.y.y/32;
};
Step 2 to protect against isc.org any attack
If only few sources try to find where these packets are coming from and block them there..
Step 3 to protect against isc.org any attack
limit udp port 53 on your server:
something like this i guess:
iptables -A INPUT -p udp -m connlimit –connlimit-above xx -j DROP
this might have impact: maybe clients are forwarding dns requests to your ns and regular queries will not work right;
Step 4 to protect against isc.org any attack
iptables can do:
iptables -A INPUT -p udp -m string –hex-string "|03697363036f726700|" –algo bm –to 65535 -j DROP
which would match that exact query;
or you could try to find out the exact size of the packet (use wireshark) used for this attack and then block it:
tcpdump -nn -vv -i eth0 |grep ANY
20:56:27.574169 IP (tos 0x0, ttl 224, id 10261, offset 0, flags [none], proto: UDP (17), length: 64) 176.31.xx.xx.25345 > xx.xx.xx.xx.53: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
iptables -I INPUT -p udp --dport 53 -m length --length 64 -j DROP
iptables -nvL
129 8256 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 length 64
6、you can add blackhole option in named.conf:
options {
directory "/usr/local/bind9/var/named";
Pid-file "named.pid";
listen-on port 53 {any;};
blackhole {BLACKLIST; };
}
include "blacklist.acl";
the contect in blacklist.acl:
acl "BLACKLIST" {
ip1;
ip2;
192.168.1.0/24;
};
参考网址:
1.http://www.minihowto.eu/protectio-against-isc-org-any-attack-dns-attack-isc-org-any-query
2.搜关键词“一种针对DNS缓存服务器的杠杆式攻击”,只提供了问题,没有提供解决方案。