Got caught up in a DNS amplified DDoS attack

Sure I’ve heard them mentioned. Along with everything else that’s wrong with traditional DNS, a great deal of it is done via UDP as opposed to TCP. I.e. no “Hi Server! (msg1)” – “Hi Client! This a connection? (inre:msg1, msg2)” – “It sure is, dear Server! (inre:msg2, msg3)” – “Cool! What? (inre:msg3, msg4)” and so on, lobbing packets of information back and forth, all pieced together. No, DNS goes “Hi I’m client X I need to look up Y”, “Ok cool, heres YINFO”. Since there’s no connection, you can lie about the sending address, causing the server to shove the response at some innocent other host, which will sit there when suddnely “Ok, cool, heres YINFO!”. It’ll go “Wut?” to itself and toss it. But, as an extension of overloading a server with junk traffic, this can make you suddenly much louder – ask a question with a *really* long answer, and suddenly you can not just cause people to deal with your puny internet connection but cause them to receive many times that much form other servers you’ve tricked into sending it.

So until now, my DNSes have always been limited enough to not have this happen. But seeing up a new server, DNS was the main issue – it hung multiple times from lack of functioning DNS. So I wasn’t too careful, and suddenly someone, many many someones, were requesting lots and lots of data.

So, now thinking for an additional second about it, I realize there’s really not much preventing this besides just not taking requests from outsiders. But there has to be some slack too – it’s not like everyone can have individual DNSes, nor can it be 100% centralized. And here, I’m not even sure how should have answers, but at least a decent chunk of local boxes.

Then when you do block, or (as I first did) just rip down your DNS shingle altogether for now, it’s not really stopping it much at first. After all, the point here is to shove traffic at someone else – there’s no real way to see if it makes it. It’s possible (and a good idea for effective mayhem) to mix it up and throw an answer back to yourself (more like “a place you control”) to make sure you’re not wasting your traffic sending into nothing, but.. that’s riskier than just sending it to the target, and a little trickier, and there isn’t that much punishment for slacking off and not checking often.

Finally fail2ban (set to bounce the requests with orders to the next router up that packets going “from” one for the targets to my dns needs to find another route, nothing down this path) started working, set up per . After a set time, it’ll start accepting again, but after a set amount.. ban again. It’s working pretty well and slowing it down. Looks like the herds are moving on. But that was way more of a thing than I expected. Worth configuring carefully the first time, I think.

Leave a Reply