New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Thank you to whoever decided that I needed to deal with this now and couldn't wait until later this evening as planned. The 8gbit traffic bouncing all over itself inside the node was SO appreciated, as were the brute force attempts that I can only assume by the target were intended on being used for bragging about it.
Fellow providers, may I suggest the following.
Script you should have: https://github.com/zoobab/openvz-scripts/blob/master/execall.sh
sh execall.sh "sed -i 's/recursion yes/recursion no/g' /etc/named.conf"
sh execall.sh "sed -i 's/recursion yes/recursion no/g' /etc/named.caching-nameserver.conf"
sh execall.sh "service bind9 restart"
It missed one for me. Easy manual fix. Sorry to clients for changing your configs, better that than blocking 53 or packing up the node and going home.
Sounds fun...
Been one of those weeks
No, just BIND or other name server recursion should be disabled, or enabled only for legitimate DNS clients subnet, or if legitimate clients cannot be well defined by address, then rate limit.
DNS servers should be used as authorative only - the easiest fix, however, according to me even authorative servers could get abused and be used in DNS amplification attack, however that requires more work, and that makes it less probable, for now.
That will find bind installations but it won't find other dns software that could also be configured to allow open recursion
that script takes care of the bind open recursor problem but any installation of bind9 could still leave servers open to a DDoS attacks if users haven't applied the latest bind9 security patches that were issued this week by ISC
http://www.infoworld.com/d/security/critical-denial-of-service-flaw-in-bind-software-puts-dns-servers-risk-215467
https://kb.isc.org/article/AA-00871
Gonna be a big template overhaul next week. Hope I can make it that long.
Yes. Yes it will. Did I say otherwise? If you'd like to share your magical mystery search-all DNS configuration, go ahead. I'll stick with my method that finds 99% of installs.
On BIND9 implementation running the RRL patches, add the following lines to the options block of the authoritative views [13]:
http://www.us-cert.gov/ncas/alerts/TA13-088A
Looking at the 3/15 released OpenVZ templates and it looks like they all have bind disabled. Not usually a fan of just hopping on whatever they offer there but there's room for customizations later, looks like a really good starting point for those thinking of that lengthy task.
Disabling recursion from a OpenVZ template level is okay too, for the templates that include name server daemon already, however there is a portion that don't and have to be dealt with afterwards.
Wouldn't it be easier to scan the network for open DNS resolvers instead of relying on a script which a) only works if you have direct access to the VPS's file system and b) doesn't detect anything except named?
It should be pretty easy to wrap this tool in a script and periodically monitor an entire CIDR block:
http://monkey.org/~provos/dnsscan/