Discussion:
DNS Amplification Attacks
Reindl Harald
2014-08-01 08:47:51 UTC
Permalink
Name: DNS Amplification Attacks
Konfiguration:
Familie: Denial of Service
OID: 1.3.6.1.4.1.25623.1.0.103718
Version: $Revision: 11 $

i doubt

named.conf:
rate-limit
{
responses-per-second 10;
window 5;
};
Michael Meyer
2014-08-01 09:15:40 UTC
Permalink
Post by Reindl Harald
Name: DNS Amplification Attacks
Familie: Denial of Service
OID: 1.3.6.1.4.1.25623.1.0.103718
Version: $Revision: 11 $
i doubt
rate-limit
{
responses-per-second 10;
window 5;
};
How many bytes have the request and how many bytes the response? The
NVT will tell you that. The NVT should only report if the response len
is > "request_len*2".

Micha
--
Michael Meyer OpenPGP Key: 0xAF069E9152A6EFA6
http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG
Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Reindl Harald
2014-08-01 09:24:33 UTC
Permalink
Post by Michael Meyer
Post by Reindl Harald
Name: DNS Amplification Attacks
Familie: Denial of Service
OID: 1.3.6.1.4.1.25623.1.0.103718
Version: $Revision: 11 $
i doubt
rate-limit
{
responses-per-second 10;
window 5;
};
How many bytes have the request and how many bytes the response? The
NVT will tell you that. The NVT should only report if the response len
is > "request_len*2"
looking at the override and see TCP makes me believe that
is the problem, interesting that it is only reported on
one out of 4 dns-servers
Port: 53/tcp

given that the machine has the following
settings response size is limited
edns-udp-size 512;
minimal-responses yes;

maybe it's a false positive at all since the server allows
recursion from the scanner IP, but "minimal-responses"
reduces even ANY requests dramatically
Michael Meyer
2014-08-01 09:31:57 UTC
Permalink
Post by Reindl Harald
Post by Michael Meyer
Post by Reindl Harald
Name: DNS Amplification Attacks
Familie: Denial of Service
OID: 1.3.6.1.4.1.25623.1.0.103718
Version: $Revision: 11 $
i doubt
rate-limit
{
responses-per-second 10;
window 5;
};
How many bytes have the request and how many bytes the response? The
NVT will tell you that. The NVT should only report if the response len
is > "request_len*2"
looking at the override and see TCP makes me believe that
is the problem, interesting that it is only reported on
one out of 4 dns-servers
Port: 53/tcp
Thats a bug in the NVT. It reports for tcp but means in fact udp.
Fixed in r596.

Again: How many bytes have the request and how many bytes the
response?

Micha
--
Michael Meyer OpenPGP Key: 0xAF069E9152A6EFA6
http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG
Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Reindl Harald
2014-08-01 10:09:23 UTC
Permalink
Post by Michael Meyer
Post by Reindl Harald
Post by Michael Meyer
Post by Reindl Harald
Name: DNS Amplification Attacks
Familie: Denial of Service
OID: 1.3.6.1.4.1.25623.1.0.103718
Version: $Revision: 11 $
i doubt
rate-limit
{
responses-per-second 10;
window 5;
};
How many bytes have the request and how many bytes the response? The
NVT will tell you that. The NVT should only report if the response len
is > "request_len*2"
looking at the override and see TCP makes me believe that
is the problem, interesting that it is only reported on
one out of 4 dns-servers
Port: 53/tcp
Thats a bug in the NVT. It reports for tcp but means in fact udp.
Fixed in r596.
Again: How many bytes have the request and how many bytes the
response?
it sais: "We send a DNS request of 17 bytes and received a response of 228 bytes"
Post by Michael Meyer
The NVT should only report if the response len is > "request_len*2"
no! the NVT should only report if you can trigger the same response
100 times per second and detect RRL configuration correctly

get the answer below once or twice don't mean the server is
vulnerable and recursion from own machines but with ratelimiting
is also not vulnerable - own machine can also be a different
network given that you must have auth nameservers in two networks
_______________________________________________

[***@srv-rhsoft:~]$ dig ANY thelounge.net @ns1.thelounge.net
; <<>> DiG 9.9.4-P2-RedHat-9.9.4-15.P2.fc20 <<>> ANY thelounge.net @ns1.thelounge.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14647
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;thelounge.net. IN ANY

;; ANSWER SECTION:
thelounge.net. 86400 IN SPF "v=spf1 ip4:91.118.73.0/24 ip4:89.207.144.27 -all"
thelounge.net. 86400 IN TXT "v=spf1 ip4:91.118.73.0/24 ip4:89.207.144.27 -all"
thelounge.net. 86400 IN MX 10 barracuda.thelounge.net.
thelounge.net. 86400 IN NS ns2.thelounge.net.
thelounge.net. 86400 IN NS ns1.thelounge.net.
thelounge.net. 86400 IN A 91.118.73.5
thelounge.net. 86400 IN SOA ns2.thelounge.net. hostmaster.thelounge.net. 2014071101 3600 1800
1814400 3600

;; Query time: 34 msec
;; SERVER: 85.124.176.242#53(85.124.176.242)
;; WHEN: Fr Aug 01 12:05:10 CEST 2014
;; MSG SIZE rcvd: 289

Loading...