Why not just ban inbound port 53 traffic on all VPS?

jar

Thank you to whoever decided that I needed to deal with this now and couldn't wait until later this evening as planned. The 8gbit traffic bouncing all over itself inside the node was SO appreciated, as were the brute force attempts that I can only assume by the target were intended on being used for bragging about it.

Fellow providers, may I suggest the following.

Script you should have: https://github.com/zoobab/openvz-scripts/blob/master/execall.sh

sh execall.sh "sed -i 's/recursion yes/recursion no/g' /etc/named.conf"
sh execall.sh "sed -i 's/recursion yes/recursion no/g' /etc/named.caching-nameserver.conf"
sh execall.sh "service bind9 restart"

It missed one for me. Easy manual fix. Sorry to clients for changing your configs, better that than blocking 53 or packing up the node and going home.

BlackoutIsHere

@jarland said: The 8gbit traffic bouncing all over itself inside the node was SO appreciated, as were the brute force attempts that I can only assume by the target were intended on being used for bragging about it.

Sounds fun...

jar

@BlackoutIsHere said: Sounds fun...

Been one of those weeks

Janevski

@pechspilz said: With all the recent talk about DNS amp DDOS attacks, I wonder why none (?) of you LEB providers just blocks inbound port 53 traffic to all VPS?

The number of VPS users who need an open DNS resolver most likely is very small and the number of users who know how to protect an open DNS resolver is a fraction of it. It's just asking for trouble, not worth the hassle. Even though it might not affect your network in a big way, the spoofed target address of the DNS response certainly is affected.

I know there are cool tools like Iodine which will be affected by such a ban.

No, just BIND or other name server recursion should be disabled, or enabled only for legitimate DNS clients subnet, or if legitimate clients cannot be well defined by address, then rate limit.

DNS servers should be used as authorative only - the easiest fix, however, according to me even authorative servers could get abused and be used in DNS amplification attack, however that requires more work, and that makes it less probable, for now.

DomainBop

"grep recursion /vz/private//etc/named.conf"

That will find bind installations but it won't find other dns software that could also be configured to allow open recursion

Sorry to clients for changing your configs, better that than blocking 53 or packing up the node and going home.

that script takes care of the bind open recursor problem but any installation of bind9 could still leave servers open to a DDoS attacks if users haven't applied the latest bind9 security patches that were issued this week by ISC

from ISC advisory: A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine."

http://www.infoworld.com/d/security/critical-denial-of-service-flaw-in-bind-software-puts-dns-servers-risk-215467
https://kb.isc.org/article/AA-00871

jar

@DomainBop said: that script takes care of the bind open recursor problem but any installation of bind9 could still leave servers open to a DDoS attacks if users haven't applied the latest bind9 security patches that were issued this week by ISC

Gonna be a big template overhaul next week. Hope I can make it that long.

Kris

@DomainBop said: That will find bind installations but it won't find other dns software that could also be configured to allow open recursion

Yes. Yes it will. Did I say otherwise? If you'd like to share your magical mystery search-all DNS configuration, go ahead. I'll stick with my method that finds 99% of installs.

@DomainBop said: that script takes care of the bind open recursor problem but any installation of bind9 could still leave servers open to a DDoS attacks if users haven't applied the latest bind9 security patches that were issued this week by ISC

On BIND9 implementation running the RRL patches, add the following lines to the options block of the authoritative views [13]:

rate-limit {
responses-per-second 5;
window 5;
};

http://www.us-cert.gov/ncas/alerts/TA13-088A

jar

Looking at the 3/15 released OpenVZ templates and it looks like they all have bind disabled. Not usually a fan of just hopping on whatever they offer there but there's room for customizations later, looks like a really good starting point for those thinking of that lengthy task.

Janevski

@jarland said: Looking at the 3/15 released OpenVZ templates and it looks like they all have bind disabled. Not usually a fan of just hopping on whatever they offer there but there's room for customizations later, looks like a really good starting point for those thinking of that lengthy task.

Disabling recursion from a OpenVZ template level is okay too, for the templates that include name server daemon already, however there is a portion that don't and have to be dealt with afterwards.

pechspilz

Wouldn't it be easier to scan the network for open DNS resolvers instead of relying on a script which a) only works if you have direct access to the VPS's file system and b) doesn't detect anything except named?

It should be pretty easy to wrap this tool in a script and periodically monitor an entire CIDR block:
http://monkey.org/~provos/dnsscan/