I agree with Roland on the firewall placement. I add that the attack would have likely succeeded to exhaust the servers. There is alot of recent ddos activity on DNS with what looks like legitimate queries. You should also look at some DOS/ application level protections; Radware and Arbor top the list. Leigh Porter <leigh.porter@ukbroadband.com> wrote:
On 18 Jan 2012, at 05:06, "toor" <lists@1337.mx> wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).
It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.
-- Leigh Porter
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-) -- Leigh Porter
-----Original Message----- From: Dennis [mailto:dennis@justipit.com] Sent: 18 January 2012 12:55 To: Leigh Porter; toor Cc: nanog@nanog.org Subject: Re: DNS Attacks
I agree with Roland on the firewall placement. I add that the attack would have likely succeeded to exhaust the servers. There is alot of recent ddos activity on DNS with what looks like legitimate queries. You should also look at some DOS/ application level protections; Radware and Arbor top the list.
Leigh Porter <leigh.porter@ukbroadband.com> wrote:
On 18 Jan 2012, at 05:06, "toor" <lists@1337.mx> wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am
completly
guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).
It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.
-- Leigh Porter
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
On 18/01/2012 14:18, Leigh Porter wrote:
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-)
As you're posting here, it looks like it's become your problem. :-D Seriously, though, there is no value to maintaining state for DNS queries. You would be much better off to put your firewall production interfaces on a routed port on a hardware router so that you can implement ASIC packet filtering. This will operate at wire speed without dumping you into the colloquial poo every time someone decides to take out your critical infrastructure. Nick
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick@foobar.org> wrote:
On 18/01/2012 14:18, Leigh Porter wrote:
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-)
As you're posting here, it looks like it's become your problem. :-D
Seriously, though, there is no value to maintaining state for DNS queries. You would be much better off to put your firewall production interfaces on a routed port on a hardware router so that you can implement ASIC packet filtering. This will operate at wire speed without dumping you into the colloquial poo every time someone decides to take out your critical infrastructure.
I get the feeling that leigh had implemented this against his own advice for a client... that he's onboard with 'putting a firewall in front of a dns server is dumb' meme...
On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick@foobar.org> wrote:
On 18/01/2012 14:18, Leigh Porter wrote:
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-)
As you're posting here, it looks like it's become your problem. :-D
Seriously, though, there is no value to maintaining state for DNS queries. You would be much better off to put your firewall production interfaces on a routed port on a hardware router so that you can implement ASIC packet filtering. This will operate at wire speed without dumping you into the colloquial poo every time someone decides to take out your critical infrastructure.
I get the feeling that leigh had implemented this against his own advice for a client... that he's onboard with 'putting a firewall in front of a dns server is dumb' meme...
In principle, this is certainly correct (and I've often said the same thing about web servers); in practice, though, a lot depends on the specs. For example: can the firewall discard useless requests more quickly? Does it do a better job of discarding malformed packets? Is the vendor better about supplying patches to new vulnerabilities? Can it do a better job filtering on source IP address? Does it do load-balancing? Are there other services on the same server IP address that do require stateful filtering? As I said, most of the time a dedicated DNS appliance doesn't benefit from firewall protection. Occasionally, though, it might. --Steve Bellovin, https://www.cs.columbia.edu/~smb
On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin <smb@cs.columbia.edu> wrote:
On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick@foobar.org> wrote:
On 18/01/2012 14:18, Leigh Porter wrote:
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-)
As you're posting here, it looks like it's become your problem. :-D
Seriously, though, there is no value to maintaining state for DNS queries. You would be much better off to put your firewall production interfaces on a routed port on a hardware router so that you can implement ASIC packet filtering. This will operate at wire speed without dumping you into the colloquial poo every time someone decides to take out your critical infrastructure.
I get the feeling that leigh had implemented this against his own advice for a client... that he's onboard with 'putting a firewall in front of a dns server is dumb' meme...
In principle, this is certainly correct (and I've often said the same thing about web servers); in practice, though, a lot depends on the specs. For example: can the firewall discard useless requests more quickly? Does it do a better job of discarding malformed packets? Is the vendor better about supplying patches to new vulnerabilities? Can it do a better job filtering on source IP address? Does it do load-balancing? Are there other services on the same server IP address that do require stateful filtering?
yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying: permit tcp any any eq 80 permit tcp any any eq 443 deny ip any any is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that.
As I said, most of the time a dedicated DNS appliance doesn't benefit from firewall protection. Occasionally, though, it might.
I suspect the cases where it MAY benefit are the 'lower packet rate, ping-o-death-type' attacks only though. Essentially 'use a proxy to remove unknown cruft' as a frontend to your more complex dns/web answering system, eh? under load though, high pps rate attacks/instances (victoria secret fashion-show sorts of things) your firewall/proxy is likely to die before the backend does ;( -chris
--Steve Bellovin, https://www.cs.columbia.edu/~smb
On Jan 18, 2012 8:43 AM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin <smb@cs.columbia.edu>
On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <nick@foobar.org>
wrote:
On 18/01/2012 14:18, Leigh Porter wrote:
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-)
As you're posting here, it looks like it's become your problem. :-D
Seriously, though, there is no value to maintaining state for DNS queries. You would be much better off to put your firewall production interfaces on a routed port on a hardware router so that you can implement ASIC
filtering. This will operate at wire speed without dumping you into
colloquial poo every time someone decides to take out your critical infrastructure.
I get the feeling that leigh had implemented this against his own advice for a client... that he's onboard with 'putting a firewall in front of a dns server is dumb' meme...
In principle, this is certainly correct (and I've often said the same
wrote: packet the thing
about web servers); in practice, though, a lot depends on the specs. For example: can the firewall discard useless requests more quickly? Does it do a better job of discarding malformed packets? Is the vendor better about supplying patches to new vulnerabilities? Can it do a better job filtering on source IP address? Does it do load-balancing? Are there other services on the same server IP address that do require stateful filtering?
yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying:
permit tcp any any eq 80 permit tcp any any eq 443 deny ip any any
is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that.
As I said, most of the time a dedicated DNS appliance doesn't benefit from firewall protection. Occasionally, though, it might.
I suspect the cases where it MAY benefit are the 'lower packet rate, ping-o-death-type' attacks only though. Essentially 'use a proxy to remove unknown cruft' as a frontend to your more complex dns/web answering system, eh?
under load though, high pps rate attacks/instances (victoria secret fashion-show sorts of things) your firewall/proxy is likely to die before the backend does ;(
Very refreshing tone of conversation. Normally I hear a chorus of "defense in depth" blah when we should be talking about fundamental host / protocol based robustness.... and matching risks with controls ...not boxes with places on a network map. It leads to: security is like an onion, it makes you cry The ng stateful firewall is no firewall (tm) I like https://www.opengroup.org/jericho/index.htm Cb
-chris
--Steve Bellovin, https://www.cs.columbia.edu/~smb
-----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Wednesday, January 18, 2012 11:43 AM To: Steven Bellovin Cc: nanog@nanog.org Subject: Re: DNS Attacks yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying: permit tcp any any eq 80 permit tcp any any eq 443 deny ip any any is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that.
But you don't get the benefit of UNIFIED THREAT MANAGEMENT or syn-authentication with an access-list or what happens if someone sends your wordpress blog a malformed GET request which causes it to give the attacker root? Or Slowloris, or one of any thousand other HTTP protocol based attacks? (I'm being sarcastic but that is the argument you will hear). Seriously though if there is one thing I wish people would stop doing it is releasing web vulnerability scanners for free (like acunetix), they're easy enough to catch because they use sitemaps but they can be a bit annoying and generate a lot of load =) -Drew
participants (7)
-
Cameron Byrne -
Christopher Morrow -
Dennis -
Drew Weaver -
Leigh Porter -
Nick Hilliard -
Steven Bellovin