The “isc.org” DNS attack

An attack on DNS udp port 53 is been spreading out these days. The attacker uses botnets to send out UDP packets using a fake SRC IP address for a DNS request. When the DNS server replies to this query, he sends it to that false address.

Pakets look like this:

SRC: 178.33.2.*:any
DST: yourdnsserver:53
QUERY: ANY? isc.org

The source IP is a fake, but every DNS servers configured with root hints will answer to this paket. Problem here:

Request size: 78 bytes
Answer size: 3656 bytes

So this is a 46x multiplier for DDOS attacks. Nice idea, bad for DNS server owners. There are a lot of websites talking about this issue:

Protection against isc.org any attack
http://www.minihowto.eu/…

How to block DNS Amplification Attack isc.org any attack
http://www.junkemailfilter.com/…

How to Launch a 65Gbps DDoS, and How to Stop One
http://blog.cloudflare.com/…

Is Your Open DNS Resolver Part of a Criminal Conspiracy?
https://www.isc.org/…

[issue-1] Routers don’t follow BCP38

So the problem has two sources; first the internet routers that allow pakets being transported with source addresses that aren’t from ranges behind those routers. Or in other words: Why should a router forward a packet from a source he already knows for a different gateway in his routing table? There’s a routing “best common practice” no. 38 that describes this as follow:

IF packet's source address from within [its assigned space]
THEN forward as appropriate

IF packet's source address is anything else
THEN deny packet

Thanks to Chip Marshall from dyndns.org for publishing this information. His post is here.

More Information about BPC38 can be found here:
http://www.bcp38.info/index.php/Main_Page

[issue-2] DNS recursion

The other reason is, a DNS server published in the internet should only answer queries for his zones. But most DNS servers are configured to perform recursive DNS queries on behalf of its clients. This is the reason, why this attack has spreaded out.

To disable recursion on Windows DNS Servers:

  • Right-click the DNS server and click Properties
  • Select the advaned tab
  • under Server options, select “Disable recursion” check box
  • Save using the OK button

More Information in TechNet: http://technet.microsoft.com/en-us/library/cc771738.aspx

Another way could be removing all root hints and forwarders from the config. But disable recursion is the easiest and most common.

Other Links:

Alert from US-CERT: http://www.us-cert.gov/ncas/alerts/TA13-088A