Front Page

ISP mini How-To

Products

· Announcements

· Special Offers

Purchase/Contact Us

Our Projects

About Us

Linux & ISP News

Kernels 2.6.25.9 · 2.4.36.6

9000 PCs in Swiss schools going Linux-only (7/04/08 ZDNet)

Bad, bad reasons not to buy open-source (20/06/07 eWeek)

MS Linux-patent FUD seeps into devices (07/06/07 Linux-Watch)

Cuba migrates to open source (ZD)

Reference Items

Sendmail Security Vulnerability (22/03/2006)

DNS DoS Attack Remedy (ISP Ltd) (21/03/2006)

Analysing malicious SSH log-in attempts (SecurityFocus)

Malicious cryptography (SecurityFocus)

Wireless Forensics: Tapping the air (SecurityFocus)

Zero to IPSec in 4 minutes (SecurityFocus)

Other Tech News

Solwise 200Mbps powerline adaptor (5/02 Register)

AMD Fusion chip (5/02 InfoWeek)

DNS DoS Attack Remedy

Malicious hackers tie up servers with recursive look-ups

A close friend of mine, Skip Taylor who runs the popular speechcomputing.com web site, brought to my attention news of the latest round of name server attacks. It is reported that some agitated hackers decided to attack some servers using what is termed "recursive DNS look-ups."

What happens is that the attackers send a barrage of requests to a name server to look-up a third-party web site. For example, they might ask Yahoo's name server to look-up google.ca for them. By default, a name server will happily perform this request and there is no problem with that, however, it takes longer to fetch a non-cached remote DNS record than to retrieve a local one, so the server is tied up for a longer time. That extra time is what the attackers are exploiting.

Avoiding this problem is a rather simple matter for GNU/Linux ISPs.

The ISP Ltd. Stapler utility for management of name servers was updated 20/03/2006 with this fix (version 4.7p). ISP Ltd. customers are automatically upgraded by now. If I am maintaining your DNS, then you are already protected. If you are maintaining your own DNS, just do this:

joy ~ # stapler
Stapler DNS management tool 4.7p
----------------------------------------------------------
(...configuration information...)
New serial number or ^C to abort [2006032100]

Just press ENTER and your BIND configuration will be updated.

For other Linux ISPs, you can manually achieve what Stapler is doing by adding adding this line to your named.conf file within the options { } block:

allow-recursion { localhost; 192.168.0.0/16; 10.0.0.0/8; };

The 192 and 10 subnets are replaced with whatever your local subnets are, so that the name servers will respond to your customers. If you put allow-recursion { none; }; your name servers will only look-up domains for which they are authoritative (that is, your local domains).

NB: named.conf is normally located in /etc or /etc/bind. If it's not there, you can use "locate named.conf" or, if that doesn't work, "find / -name named.conf".

After making the change, reload or restart BIND:

rndc reload

(or, if that doesn't work)

/etc/init.d/named restart

Now you are protected from this kind of DoS attack. You can test this by using a machine on a subnet that is not in your 'allow-recursion' set to request a look-up of an outside domain:

joy ~ $ nslookup google.ca ns1.ispltd.ca
Server: ns1.ispltd.ca
Address: 142.179.100.217#53

Non-authoritative answer:
*** Can't find google.ca: No answer