Protection against isc.org any attack – dns attack isc.org any query

ISC.ORG any ATTACK - dns attack isc.org any query

An attack on udp port 53 is spreading around these days (isc.org any query attack) Attack is like this:

Attacker sends a small udp packet using victims ip as source to nameservers around the internet. Packet contains a dns query like .. "send me all info about the domain isc.org". The dns server replies to the real victim with a large packet containing all info about isc.org" . This looks easy.. but attacker sends this query to many servers at once and they all reply to the real victim.

isc.org any attack from tcpdump  :

23:19:15.165596 IP x.x.x.x.7185 > yourdnsserver.53: 13442+ [1au] ANY? isc.org. (37)

bind logs :

20:28:00.643 client x.x.x.x#49046: query: isc.org IN ANY +ED (x.x.x.x)

If you see this in your logs keep in mind that you are not the victim; x.x.x.x is the victim! and your server will reply to x.x.x.x.

 

Here's why this attackers use isc.org query / isc.org any attack :

# dig @8.8.4.4 yahoo.com any | grep SIZE

;; MSG SIZE  rcvd: 337

# dig @8.8.4.4 isc.org any | grep SIZE
;; MSG SIZE  rcvd: 2999
 
reply from 8.8.4.4 (google public dns server) when asked about isc.org is large

How it works isc.org any attack - dns attack isc.org any query

Attacker assumes:
1. he can send fake packets (using victims ip as source); this is possible because internet works by destination routing.. (packets are sent to their destination without checking their source); some ISPs protect against this by checking that their clients are sending packets only using their asigned ip addresses (reverse path filtering); … still, there are many ISPs out there that dont dont use this filtering and will pass spoofed packets towards their destination;
2. he can find open dns servers; dns servers that will reply to any query to anyone that asks; and there are many like this on the internet; (soho routers; dns servers with default configurations .. etc);
 
Both conditions are easy to match today. It's only a matter of size: if someone has enough hosts to send these packets from (infected windows machines, hacked servers etc..) …  anything can happen
 

How to protect against  isc.org any attack - dns attack isc.org any query

 
Protect your dns server against isc.org any attack
 
Step 1 to protect against isc.org any attack
 
THIS IS A MUST: configure your dns NOT to accept resolution requests from unauthorized IPs.. if possible, when caching-only dns.. block udp port 53 from unauthorized IPs towards your server from firewall;
in bind:
 
named.conf:
include "/etc/namedb/acl.conf";
 
option in named.conf:
        allow-query     {"our-networks";};
        allow-transfer {"transferip";};
 
in acl.conf:
 
acl "our-networks" {
        127.0.0.1/32;
        network1/x;
        network2/x;
};
acl "transferip" {
        127.0.0.1/32;
        x.x.x.x./32;
        y.y.y.y/32;
};

 

Step 2 to protect against isc.org any attack

 

 

 

If only few sources try to find where these packets are coming from and block them there..

 

Step 3 to protect against isc.org any attack

 

 

 

limit udp port 53 on your server:
something like this i guess:
iptables -A INPUT -p udp -m connlimit –connlimit-above xx -j DROP
this might have impact: maybe clients are forwarding dns requests to your ns and regular queries will not work right;
 
 
Step 4 to protect against isc.org any attack
 
 iptables can do:
iptables -A INPUT -p udp -m string –hex-string "|03697363036f726700|" –algo bm –to 65535 -j DROP
which would match that exact query;
 
or you could try to find out the exact size of the packet (use wireshark) used for this attack and then block it:
iptables -I INPUT -p udp –dport 53 -m length –length xx -j DROP

Show MY IP information

other how to posts
isc.org any attack
isc.org any attack-isc.org any attack-isc.org any attack-isc.org any attack-isc.org any attack-isc.org any attack
isc.org any attack-isc.org any attack-isc.org any attack-isc.org any attack-isc.org any attack-isc.org any attack

One thought on “Protection against isc.org any attack – dns attack isc.org any query

  1. Pingback: isc.org ANY query – Attack | USmith Blog

Leave a Reply

Your email address will not be published. Required fields are marked *


four × 4 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>