How to protect against any query attack?


An attack on udp port 53 is spreading around these days ( any query attack).

Attack is like this: Attacker sends a small udp packet using victims ip as source to nameservers around the internet. Packet contains a dns query like .. "send me all info about the domain". The dns server replies to the real victim with a large packet containing all info about" . This looks easy.. but attacker sends this query to many servers at once and they all reply to the real victim.

1, any attack from tcpdump:
23:19:15.165596 IP x.x.x.x.7185 > yourdnsserver.53: 13442+ [1au] ANY? (37)
19:09:25.536853 IP ip.25345 > ip.53: 10809+ [1au] ANY? (36)
19:09:25.611423 IP ip.64528 > ip.53: 4208+ [1au] ANY? (49)

2, bind logs :
20:28:00.643 client x.x.x.x#49046: query: IN ANY +ED (x.x.x.x)

3, Here's why this attackers use query / any attack :
# dig @ any | grep SIZE
;; MSG SIZE rcvd: 337
# dig @ any | grep SIZE
;; MSG SIZE rcvd: 3054
# dig @ any | grep SIZE
;; MSG SIZE rcvd: 2498

reply from (google public dns server) when asked about is large

4, How it works any attack - dns attack any query
Attacker assumes:

1). he can send fake packets (using victims ip as source); this is possible because internet works by destination routing.. (packets are sent to their destination without checking their source); some ISPs protect against this by checking that their clients are sending packets only using their asigned ip addresses (reverse path filtering); … still, there are many ISPs out there that dont dont use this filtering and will pass spoofed packets towards their destination;

2). he can find open dns servers; dns servers that will reply to any query to anyone that asks; and there are many like this on the internet; (soho routers; dns servers with default configurations .. etc);

Both conditions are easy to match today. It's only a matter of size: if someone has enough hosts to send these packets from (infected windows machines, hacked servers etc..) … anything can happen

5、Protect your dns server against any attack

Step 1 to protect against any attack
THIS IS A MUST: configure your dns NOT to accept resolution requests from unauthorized IPs.. if possible, when caching-only dns.. block udp port 53 from unauthorized IPs towards your server from firewall;

in bind:named.conf:
include "/etc/namedb/acl.conf";

option in named.conf:
allow-query {"our-networks";};
allow-transfer {"transferip";};

in acl.conf:
acl "our-networks" {;

acl "transferip" {;

Step 2 to protect against any attack
If only few sources try to find where these packets are coming from and block them there..

Step 3 to protect against any attack
limit udp port 53 on your server:
something like this i guess:
iptables -A INPUT -p udp -m connlimit –connlimit-above xx -j DROP

this might have impact: maybe clients are forwarding dns requests to your ns and regular queries will not work right;

Step 4 to protect against any attack
iptables can do:
iptables -A INPUT -p udp -m string –hex-string "|03697363036f726700|" –algo bm –to 65535 -j DROP

which would match that exact query;
or you could try to find out the exact size of the packet (use wireshark) used for this attack and then block it:
tcpdump -nn -vv -i eth0 |grep ANY
20:56:27.574169 IP (tos 0x0, ttl 224, id 10261, offset 0, flags [none], proto: UDP (17), length: 64) 176.31.xx.xx.25345 > xx.xx.xx.xx.53: [no cksum] 10809+ [1au] ANY? ar: . OPT UDPsize=4096 (36)
iptables -I INPUT -p udp --dport 53 -m length --length 64 -j DROP
iptables -nvL
129 8256 DROP udp -- eth0 * udp dpt:53 length 64
6、you can add blackhole option in named.conf:
options {
directory "/usr/local/bind9/var/named";
Pid-file "";
listen-on port 53 {any;};
blackhole {BLACKLIST; };

include "blacklist.acl";

the contect in blacklist.acl:


分类:网络 | 标签: |