A couple of weeks ago the Internet was put-down by an attack on a core Internet service, the domain name system (DNS). As the Internet is a globally shared common resource we must all, as a community, take steps to prevent malicious actors from successfully DDoSing key critical Internet infrastructure and services.
To all the IT Security, Firewall, DNS, and Network Admins out there, at the end of this article are advanced Linux Netfilter iptables rules to drop Pizza DNS DDoS traffic, and all BIND9-like DNS query refused responses. Implementing just one of the Netfilter rules can cut DDoS traffic in half or more.
Take Action and Communicate Findings to ISPs:
I "Data Scientist-ed" a bunch of DNS server logs and identified a ton of malicious activity that, in part, forms today's Internet backscatter noise. I took action by grouping and sorting over ~100 million malicious requests and reporting individual ISP relevant details to a ~ half a dozen ISPs that originated the malicious traffic. This included an active ~1.2 million malicious requests/hour on-going attack - I had an interesting long-weekend :). To their credit, all the ISPs took action within minutes of receiving my report. Even the active attack was stopped within the hour.
The Pizza DNS DDOS Attack:
I decided to take a deeper dive into the technical realm of one malicious DDoS DNS attack which lets loosely call the Pizza DNS DDoS.
Capturing some traffic from the Pizza DNS DDoS attack one will find there isn't anything special about it (less some traffic has the source port of HTTP). In fact, this is an excellent generic example that I will use when teaching the next generation of IT Security experts, and Admins.
The attack, from a DNS server point of view, is a simple normal DNS query for a non-served domain. A typical hardened DNS server will respond back with a query refused message. To the casual observer there isn't anything notable about it; however, to the highly skilled security conscious expert they know the point of this attack is to create an overwhelming tsunami wave of Internet traffic with the hopes of overloading critical portions of key Internet infrastructure and/or services. This attack is generically known as DNS Amplification.
Using Advanced Linux Netfilter iptables ACL Rules to Drop Pizza DDoS DNS Requests and All BIND9 Query Refused Responses
I reviewed the usual sources of Information on how to respond to an attack such as this and found the information to be mostly generic and basically useless. Most stopped at suggesting one disable DNS recursive queries. I am underwhelmed by such recommendations.
Using one advanced Netfilter firewall rule cut DDoS traffic in half!
In order to write the needed advanced Netfilter iptables rules one needs a bit-level understanding of 3 different network protocols: IP, UDP, and DNS; electronics-like mathematics, and of course knowledge of networking, Linux, and Netfilter's advanced features.
The below rule will search inbound DNS server traffic for a DNS query that starts with "pizzaseo" and log the traffic:
- iptables -I INPUT 1 -d YOUR_DNS_SERVER_IP_ADDRESS -p udp -m udp --dport 53 -m string --string "pizzaseo" --algo kmp --from 41 --to 48 -j NFLOG --nflog-prefix "DROP PizzaSEO DDoS ATTACK Requests"
The below rule examines the IP header to find the start of UDP's data, and examines DNS flags for a refused response. When found the traffic it is logged:
- iptables -I OUTPUT 1 -s YOUR_DNS_SERVER_IP_ADDRESS -p udp -m udp --sport 53 -m u32 --u32 "0x0>>0x16&0x3c@0x8&0x8005=0x8005" -j NFLOG --nflog-prefix "DROP OUTBOUND DNS Query Refused Response"
Create a similar drop rule as may be needed in your enterprise. The above 2 rules use a slightly different strategy and the strategies could easily be replaced by one another. The string rule is easier to understand, implement, and change by more people. The u32 rule on the other hand is within grasp of far fewer people, but will not likely require any changes should the attack change.
Next Steps
Going forward one should consider creating rules to form an automated blocking list using xt_recent, and ipset; however, be mindful that UDP traffic is easily spoofed.
Blog posted by Jason Muskat at https://www.linkedin.com/pulse/stop-feeding-pizza-ddos-dns-attack-jason-muskat/
Không có nhận xét nào:
Đăng nhận xét