Limiting DDoS attacks on a nameserver

/dev/rob0 rob0 at gmx.co.uk
Tue May 24 17:31:06 UTC 2011 

I'm being hit by a collection of scoundrels all using source port 53, 
seeking 'x.kyuhhh.strangled.net/TXT/IN'. No, I am not authoritative 
for that name. This happened on cardinal.lizella.net.

Attackers:
=========
50.19.102.31 :: ec2-50-19-102-31.compute-1.amazonaws.com.
50.19.106.0 :: ec2-50-19-106-0.compute-1.amazonaws.com.
66.228.54.207 :: li296-207.members.linode.com.
67.21.85.227 :: 227.85.21.67.in-addr.arpa not found: 2(SERVFAIL)
		network:NetName:MICHAEL-STOWE-67.21.85.192                                                               
		network:OrgName:RAVENOUS-NETWORKS
68.243.98.206 :: 68-243-98-206.pools.spcsdns.net.
108.118.122.235 :: 108-118-122-235.pools.spcsdns.net.
		(NXDOMAIN, but owned by Sprint)
173.137.7.112 :: 173-137-7-112.pools.spcsdns.net.
174.151.36.3 :: 174-151-36-3.pools.spcsdns.net.
174.97.168.166 :: cpe-174-097-168-166.nc.res.rr.com.
174.97.171.72 :: cpe-174-097-171-072.nc.res.rr.com.
184.254.7.84 :: 184-254-7-84.pools.spcsdns.net.
		(NXDOMAIN, but owned by Sprint)
184.73.197.248 :: ec2-184-73-197-248.compute-1.amazonaws.com.

Logs of the last one:
====================
May 24 01:13:45 cardinal named[1096]: client 184.73.197.248#53: query 
(cache) 'x.kyuhhh.strangled.net/TXT/IN' denied
May 24 01:14:15 cardinal last message repeated 956 times
May 24 01:15:15 cardinal last message repeated 1998 times
May 24 01:16:15 cardinal last message repeated 2886 times
May 24 01:17:15 cardinal last message repeated 3839 times
May 24 01:18:15 cardinal last message repeated 3872 times
May 24 01:19:15 cardinal last message repeated 3952 times
May 24 01:20:15 cardinal last message repeated 3981 times
May 24 01:21:10 cardinal last message repeated 3530 times
May 24 01:21:11 cardinal named[1096]: client 184.73.197.248#53: query 
(cache) 'x.kyuhhh.strangled.net/TXT/IN' denied
May 24 01:21:42 cardinal last message repeated 1973 times
May 24 01:22:43 cardinal last message repeated 3925 times
May 24 01:23:44 cardinal last message repeated 3849 times
May 24 01:24:45 cardinal last message repeated 3850 times
May 24 01:25:45 cardinal last message repeated 3857 times
May 24 01:26:24 cardinal last message repeated 2457 times

If you're keeping score at home, that was 44927 until I blocked it in 
the firewall. Another 4695 hits on the firewall means it did almost 
50K queries in approximately 13-15 minutes total.

All the attackers were doing similar things, but most were not so 
easy to calculate the total. because at 2011-05-23 01:12 UTC there 
were two of them hitting at the same time. And that also leads to an 
interesting observation: when there were two hitting, there were 
*exactly* two. One would stop, and another (which might have been 
previously attacking) would take its place. This kept up until 01:39, 
when I saw the activity and blocked the offending (spoofed?) IP 
addresses in the firewall.

Above is all that I have seen so far on 2011-05-24, but there too the 
timing is interesting: it leads me to believe I can expect a resumed 
assault at 01:10-:15 UTC tonight. But since some of the attacking IP 
addresses might already be blocked, it might not show in the log.

Questions:
=========
1. What is this? Is it targeted at me (my site) personally, or some 
   kind of worm/malware crawling the Internet?
2. Is it harming me, other than the waste of bandwidth and logging?
3. Is there anything that I can (or should) do with named to limit
   or mitigate these attacks?
  3a. Can named trigger an external action on receipt of a certain
      query?
4. What can be done outside of named about this?
  4a. fail2ban, I know about, but would rather not.
  4b. Linux iptables -m recent connection limiting

Linux iptables "recent" match:
=============================
I know how to do this; in fact I have firewalls limiting both SSH and 
SIP access using -m recent rules. What I am not so sure about: how 
much is a "safe" limit? I think if I set a limit of maybe a hundred
queries in 10 seconds, I would stop this kind of attack without 
affecting normal resolution.

In a related matter, as noted, this attack was all on source port 53. 
It's not safe to block source port 53, is it? I suppose there are 
lots of broken resolvers out there which are still using source port 
53. But maybe my "recent" limitations should only apply to --sport 53 
queries?

Here is what I did with -m recent for SIP:
    http://www.spinics.net/lists/netfilter/msg49676.html
The approach for DNS, at least on the UDP side, will have to be 
similar, because this whole attack would be in conntrack --ctstate 
ESTABLISHED (after the initial refused query.)
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

More information about the bind-users mailing list