The “isc.org” DNS attack

An attack on DNS udp port 53 is been spreading out these days. The attacker uses botnets to send out UDP packets using a fake SRC IP address for a DNS request. When the DNS server replies to this query, he sends it to that false address.

Pakets look like this:

SRC: 178.33.2.*:any
DST: yourdnsserver:53
QUERY: ANY? isc.org

The source IP is a fake, but every DNS servers configured with root hints will answer to this paket. Problem here:

Request size: 78 bytes
Answer size: 3656 bytes

So this is a 46x multiplier for DDOS attacks. Nice idea, bad for DNS server owners. There are a lot of websites talking about this issue:

Protection against isc.org any attack
http://www.minihowto.eu/…

How to block DNS Amplification Attack isc.org any attack
http://www.junkemailfilter.com/…

How to Launch a 65Gbps DDoS, and How to Stop One
http://blog.cloudflare.com/…

Is Your Open DNS Resolver Part of a Criminal Conspiracy?
https://www.isc.org/…

[issue-1] Routers don’t follow BCP38

So the problem has two sources; first the internet routers that allow pakets being transported with source addresses that aren’t from ranges behind those routers. Or in other words: Why should a router forward a packet from a source he already knows for a different gateway in his routing table? There’s a routing “best common practice” no. 38 that describes this as follow:

IF packet's source address from within [its assigned space]
THEN forward as appropriate

IF packet's source address is anything else
THEN deny packet

Thanks to Chip Marshall from dyndns.org for publishing this information. His post is here.

More Information about BPC38 can be found here:
http://www.bcp38.info/index.php/Main_Page

[issue-2] DNS recursion

The other reason is, a DNS server published in the internet should only answer queries for his zones. But most DNS servers are configured to perform recursive DNS queries on behalf of its clients. This is the reason, why this attack has spreaded out.

To disable recursion on Windows DNS Servers:

  • Right-click the DNS server and click Properties
  • Select the advaned tab
  • under Server options, select “Disable recursion” check box
  • Save using the OK button

More Information in TechNet: http://technet.microsoft.com/en-us/library/cc771738.aspx

Another way could be removing all root hints and forwarders from the config. But disable recursion is the easiest and most common.

Other Links:

Alert from US-CERT: http://www.us-cert.gov/ncas/alerts/TA13-088A

Advertisements

2 thoughts on “The “isc.org” DNS attack

  1. I dont know if you ever found a solution to this? I didn’t so I have written my own UDP packet filter that is presented as a Windows Service (64bit although I can provide a 32bit version if necessary).

    Its configurable so multiple domains can be specified in the filter but I only have a problem with isc.org from botnets participating in the DNS Reflection/Ampflication attack.

    Although I cannot erradicate the inital 50-64 byte request, the filter drops the that request before the DNS server receives and processes it, saving up to 140GB/month in upload bandwidth on my connection.

    If you (or anybody else is interested) please contact me at info@networkingfutures.co.uk

    • Thanks for your comment. My solution here was to block the specifis source IP adress (it’s still just one) using Windows Firewall. This stopps outgoing traffic from my server, but there’s still incoming traffic i can’t stop.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s