Koozali.org: home of the SME Server

DNS Amplification attack

Offline p-jones

  • *
  • 594
  • +0/-0
DNS Amplification attack
« on: May 14, 2015, 10:55:35 AM »
Hi

I have an V8.1 Server - Gateway that has been running on ADSL for a while now with out issue. The ADSL Router had a DMZ pointing to the WAN NIC on the Server.

This ADSL has just been upgrded to Fibre. The dudes who did the fibre will not set a DMZ as they are telling me "We set a DMZ, however the server was hit with a DNS Amplification attack almost instantly"

At this point I dont have access to any logs, (its a good few hours drive to get on to the site) but this doesnt quite sound right ??

If I go onto the sight, where should I start looking and for what ?

Please ask for any info I may not have mentioned and I will try and answer.

Thanks in advance
Peter

PS the machine was fully updated immeadiately prior to the fibre conversion.
...

guest22

Re: DNS Amplification attack
« Reply #1 on: May 14, 2015, 02:22:22 PM »
The dudes who did the fibre will not set a DMZ as they are telling me "We set a DMZ, however the server was hit with a DNS Amplification attack almost instantly"


Interesting that they have concluded a 'DNS Amplification attack'  'instantly'. Funny if you get a new Public IP from that same provider...

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: DNS Amplification attack
« Reply #2 on: May 15, 2015, 10:37:39 PM »
This ADSL has just been upgrded to Fibre. The dudes who did the fibre will not set a DMZ as they are telling me "We set a DMZ, however the server was hit with a DNS Amplification attack almost instantly"

Did you ask them what they saw that caused them to say that?

Offline p-jones

  • *
  • 594
  • +0/-0
Re: DNS Amplification attack
« Reply #3 on: May 15, 2015, 11:09:13 PM »
Quote
Did you ask them what they saw that caused them to say that?

I asked why they thought that but didnt get a reply. I know this is not overly helpful. I am dealing with a 'middle-man' and there are some politics  that I do no want to get involved with.

What I did find was that their idea of a DMZ was to forward all ports, TCP only, to the server. (No UDP on 53) and I am wondering if this may have some bearing.

I had initially envisaged going directly from the ONT to NIC and reconfiguring for PPoE however I was advised this could not happen as fibre delivery requires VLAN tagging, unsupported by SME, and they used a Microtik router at the front door.

Fibre at this level is new in NZ and I have very limited experience with it. When I was in corporate it was delivered quite differently.
...

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: DNS Amplification attack
« Reply #4 on: May 15, 2015, 11:30:57 PM »
I asked why they thought that but didnt get a reply. I know this is not overly helpful.

Indeed it's not. Anyone connected to the Internet can be hit by a DNS amplification attack. It's not very likely to have actually happened though.

Quote
What I did find was that their idea of a DMZ was to forward all ports, TCP only, to the server. (No UDP on 53) and I am wondering if this may have some bearing.

Sounds like you are dealing with someone with only half a clue. If UDP doesn't reach your server, then DNS isn't going to work. However, it doesn't need to be port forwarded to your server if the router does NAT properly.

Quote
I had initially envisaged going directly from the ONT to NIC and reconfiguring for PPoE however I was advised this could not happen as fibre delivery requires VLAN tagging, unsupported by SME, and they used a Microtik router at the front door.

If you need to use a vlan interface for your WAN that could be done, but would need some modifications.

Quote
If I go onto the sight, where should I start looking and for what ?

Well, for a start, knowing what works and what doesn't would be a good starting point. At the moment you either don't know or haven't told us.

Treat the mention of 'DNS amplification attacks' as uninformed waffling, and start from first principles.

Offline p-jones

  • *
  • 594
  • +0/-0
Re: DNS Amplification attack
« Reply #5 on: May 16, 2015, 12:03:17 AM »
Quote
Well, for a start, knowing what works and what doesn't would be a good starting point
At this time I believe everything is working as it should except remote access. They can surf, they can email without issue.

I would expect a DNS amplification attack to be temoprary. I SUSPECT this may have come from an initial mis-config. Possibly some sort of recursion fom an incorrect ip address maybe. I feel that I need to treat it seriously until I can prove otherwise.

I am guessing that if / when I can get remote access into the server, examining what has been happening via the tinydns log would be a place to start.  Maybe iptraf looking at the wan side nic, then "feeling my way" through depending on what I find ?? Would that be a reasonable approach ? Iptraf may be useless if the attack has ceased.
...

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: DNS Amplification attack
« Reply #6 on: May 18, 2015, 10:50:08 PM »
... examining what has been happening via the tinydns log would be a place to start

Very unlikely to be of interest. tinydns is only available from internal addresses, and only serves names for the local domains.

A DNS amplification attack is something that you are passively subjected  to. It doesn't indicate a vulnerability of the server. The only logs it will generate will be iptables logs, because of unexpected inbound traffic.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: DNS Amplification attack
« Reply #7 on: May 18, 2015, 10:50:52 PM »
At this time I believe everything is working as it should except remote access

OK, in that case the only thing you should investigate is why remote access is not working as it should.

Offline compsos

  • *
  • 472
  • +0/-0
Re: DNS Amplification attack
« Reply #8 on: May 27, 2015, 01:36:43 AM »
On the Australian NBN system what ever is plugged into the UNI port gets the external address. We have the servers done this way and they are all working fine.
If a DNS Amplification attack was likely then we should have been slammed. Fail2ban is not showing any more activity on the NBN connections in comparison to ADSL ones.
Regards

Gordon............