1. Home > Web_defense >

A leveraged attack against DNS cache server

Today, a domestic machine was found to have abnormal traffic. The inspection found that the DNS caching service running on this machine was used as an amplification lever for the attack. Here is a brief note.

If the traffic is abnormal, the first thing is to check the TCP session on the server. Some unusual things are found. After the closure, the traffic decreases, but it still does not return to normal. So listen to the package. I found a large piece of this: 07:39:53.271744 IP 158.XX.XX.238.53019> XX.XX.XX.XX.53: 56854+ [1au] ANY? isc.org. (36)07:39:53.271772 IP 158.XX.XX.238.53019> XX.XX.XX.XX.53: 56854+ [1au] ANY? isc.org. (36)07:39:53.271784 IP 158.XX.XX.238.53019> XX.XX .XX.XX.53: 56854+ [1au] ANY? isc.org. (36)07:39:53.271792 IP 158.XX.XX.238.53019> XX.XX.XX.XX.53: 56854+ [1au] ANY? isc.org. (36)07:39:53.274225 IP 92.XX.XX.148.31650> XX.XX.XX.XX.53: 23600+ [1au] ANY? isc.org. (36)07:39 :53.274252 IP 92.XX.XX.148.31650> XX.XX.XX.XX.53: 23600+ [1au] ANY? isc.org. (36)07:39:53.274262 IP 92.XX.XX.148.31650> XX .XX.XX.XX.53: 23600+ [1au] ANY? isc.org. (36)07:39:53.274270 IP 92.XX.XX.148.31650> XX.XX.XX.XX.53: 23600+ [ 1au] ANY? isc.org. (36)07:39:53.291822 IP 158.XX.XX.238.13616> XX.XX.XX.XX.53: 56854+ [1au] ANY? isc.org. (36)07 :39:53.291850 IP 158.XX.XX.238.13616> XX.XX.XX.XX.53: 56854+ [1au] ANY? isc.org. (36)07:39:53.291860 IP 158.XX.XX.238.13616 > XX.XX.XX.XX.53: 56854+ [1au] ANY? isc.org. (36)07:39:53.291869 IP 158.XX.X X.238.13616> XX.XX.XX.XX.53: 56854+ [1au] ANY? isc.org. (36)07:39:53.291877 IP 92.XX.XX.148.56278> XX.XX.XX.XX. 53: 23600+ [1au] ANY? isc.org. (36) Obviously, it is not normal to query the same domain name repeatedly in a short period of time from the same IP address. Why is isc.org? It is not clear for the time being, but such behavior is obviously using this machine as a lever to amplify the attack. The attacker sends a DNS query packet that fakes the source IP address of the final victim (the size of this packet is much smaller than the response) to the victim DNS cache server, and these cache servers have been queried locally. A copy of the domain name information (these domain names exist) will immediately respond to the ultimate victim. In this way, the attacker can use a smaller bandwidth cost to fill the downstream bandwidth of the final victim, and realize a DDoS attack. Since it is DDoS, it is not easy to prevent such attacks from the perspective of the defending party. However, in traditional network design, the DNS cache server is placed in the DMZ, so the impact of this type of attack can be mitigated by directly filtering out all external DNS response packets on the route. For administrators running DNS cache servers, they should restrict access to their own DNS cache servers. For example, they only listen to DNS query requests on the internal network interface, while the external network interface is only used to issue DNS requests and receive these requests. Respond to avoid being used by bad guys as a lever for DDoS.

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Web_defense/28674.html

Contact Us

Online consultation:click here to give a message