DNS Attack - Please help

[agriz]

Hi

I got a mail from my service provider saying "Open recursive resolver used for an attack: IP-ADDRESS"

As a quick fix,

options {
listen-on port 53 { 127.0.0.1; my-server-ip-address; };
...

}

It was before

options {
listen-on port 53 { any; };
}

Will it solve the problem?

Code: Select all

listen-on port 53 { 127.0.0.1; ip; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query {
                any;
                };
 recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "..."; //there is some directory path

        managed-keys-directory "...."; //there is some directory path

        pid-file "..."; //there is some directory path
        session-keyfile "..."; //there is some directory path
        also-notify {
                };
};

Please kindly advice me

[avij]

No, that probably won't help.

Try adding allow-recursion { localhost; }; to the configuration. Depending on your configuration, you may also need to add your server's IP: allow-recursion { localhost; your-server-ip-address; };

If this name server is used by multiple machines in your network, you may need to allow them as well: allow-recursion { localhost; your-server-ip-address; 192.168.0.0/24; }; (where 192.168.0.x is your local network, adjust appropriately).

[aks]

You might also want to look at the "secure BIND template": http://www.cymru.com/Documents/secure-b ... plate.html

[agriz]

No, that probably won't help.

Try adding allow-recursion { localhost; }; to the configuration. Depending on your configuration, you may also need to add your server's IP: allow-recursion { localhost; your-server-ip-address; };

If this name server is used by multiple machines in your network, you may need to allow them as well: allow-recursion { localhost; your-server-ip-address; 192.168.0.0/24; }; (where 192.168.0.x is your local network, adjust appropriately).

Sir,

I turned off recursion.
recursion no; is given in the options now.

I have one dedicated server and i run three websites. All are sharing the same ip address.
Can i still add the lines you mentioned for options { ?

[agriz]

Sir,

I tried to see the connections list.
But it does not look like i have hit by ddos.

Is there anyway to check?

Code: Select all

ps -aux|grep HTTP|wc -l
1

netstat -lpn|grep :80 |awk '{print $5}'|sort
0.0.0.0:*

[TrevorH]

DNS uses UDP and TCP port 53 not port 80.

[agriz]

Code: Select all

 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d:  -f1 | sort | uniq -c | sort

I tried this command.
Is it okay to use?

11 0.0.0.0
37 127.0.0.1

There are about 20 ips listed 1 before them
about 10 ips listed 2 and 3 before them
4 ip (about 4 to 5)
5 ip (about 4 to 5)
6 ip (about 3)

[TrevorH]

If you were under attack then just running tcpdump not port 22 -n -nn -l -i ethX would show you dozens of packets arriving and leaving. The "not port 22" is there in case you are connected over ssh and is to stop it looping when it dumps packets to port 22 about the packets it just saw... and obviously ethX needs amending to your real interface name.

[agriz]

If you were under attack then just running tcpdump not port 22 -n -nn -l -i ethX would show you dozens of packets arriving and leaving. The "not port 22" is there in case you are connected over ssh and is to stop it looping when it dumps packets to port 22 about the packets it just saw... and obviously ethX needs amending to your real interface name.

Sir, You are talking highly technical and it is difficult for me to understand. I read more than few times and it is difficult to understand.
My sshd port is not 22. I changed it to something else.

[TrevorH]

Then exclude the changed ssh port in my command to the one you used.