DNS Amplification Attacks Observer

Ahojte, neviete mi poradit s nasledujucim problemom. Mam v nemecku dedikovany server (Windows Server 2012 R2) Ale provider (hetzner.de) mi poslal nasledujuci email. Viete mi poradit ako to poriesit ? Predpokladam ze niekto sa snazi robit nieco, (nejaky utok, neviem) s DNS ktore mi tam bezi kvoli Active Directory. Hlasi to ze to ide od domeny lalka.com.ru a po ujovi google som zistil ze odtial ide nejaky utok DNS Amplification Attacks Observer. Tu je cele znenie. Dakujem za pomoc. Teda je tam samozrejme vysvetlenie ze co mam spravit. Ako tomu asi zabranit. Ale aj tak by som rad vedel keby mi fundovana osoba vysvetlila o co ide :) ps edit: asi som to aj vyriesil. nasiel som skvely clanok o tomto http://serverfault.com/questions/573465/what-is-an-open-dns-resolver-and-how-can-i-protect-my-server-from-being-misusedReturn-path:

Envelope-to: abuse@hetzner.de

Delivery-date: Fri, 25 Jul 2014 22:32:05 +0200

Received: from (helo=mail.nuclearfallout.net)

by lms.your-server.de with esmtp (Exim 4.74)

(envelope-from )

id 1XAm9s-00020P-D3

for abuse@hetzner.de; Fri, 25 Jul 2014 22:32:05 +0200

Received: from www.nfoservers.com (www.nfoservers.com )

by mail.nuclearfallout.net (Postfix) with ESMTP id E4036391B4A

for ; Fri, 25 Jul 2014 13:31:53 -0700 (PDT)

Received: from www (localhost )

by www.nfoservers.com (Postfix) with SMTP id 64A9B1D7F27

for ; Fri, 25 Jul 2014 13:31:54 -0700 (PDT)

Subject: Open recursive resolver used for an attack: 148.251.236.205

Date: Fri, 25 Jul 2014 13:31:54 -0700

Mime-Version: 1.0

Content-Type: text/plain; charset="iso-8859-1"

To: abuse@hetzner.de

Content-Transfer-Encoding: quoted-printable

From: NFOservers.com DDoS notifier

Message-Id: <20140725203154.64A9B1D7F27@www.nfoservers.com>

X-Virus-Scanned: Clear (ClamAV 0.98.1/19225/Fri Jul 25 20:54:37 2014)

X-Spam-Score: 0.5 (/)

Delivered-To: he1-abuse@hetzner.de

You appear to be running an open recursive resolver at IP address 148.251.2=

36.205 that participated in an attack against a customer of ours today, gen=

erating large UDP responses to spoofed queries, with those responses becomi=

ng fragmented because of their size.

Please consider reconfiguring your resolver in one or more of these ways:

- To only serve your customers and not respond to outside IP addresses (in =

BIND, this is done by defining a limited set of hosts in "allow-query"; wit=

h a Windows DNS server, you would need to use firewall rules to block exter=

nal access to UDP port 53)

- To only serve domains that it is authoritative for (in BIND, this is done=

by defining a limited set of hosts in "allow-query" for the server overall=

but setting "allow-query" to "any" for each zone)

- To rate-limit responses to individual source IP addresses (such as by usi=

ng DNS Response Rate Limiting or iptables rules)

More information on this type of attack and what each party can do to mitig=

ate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A

If you are an ISP, please also look at your network configuration and make =

sure that you do not allow spoofed traffic (that pretends to be from extern=

al IP addresses) to leave the network. Hosts that allow spoofed traffic mak=

e possible this type of attack.

Example DNS responses from your resolver during this attack are given below=

.=20

Timestamps (far left) are PDT (UTC-7), and the date is 2014-07-25.

12:05:16.443387 IP (tos 0x0, ttl 116, id 3937, offset 0, flags , proto U=

DP (17), length 1500) 148.251.236.205.53 > 31.186.250.x.58054: 28775| 47/0/=

1 lalka.com.ru. A 77.222.56.62, lalka.com.ru.

0x0000: 4500 05dc 0f61 2000 7411 75ad 94fb eccd E....a..t.u.....

0x0010: 1fba fa7f 0035 e2c6 0f9f e3a5 7067 8380 .....5......pg..

0x0020: 0001 002f 0000 0001 056c 616c 6b61 0363 .../.....lalka.c

0x0030: 6f6d 0272 7500 00ff 0001 c00c 0001 0001 om.ru...........

0x0040: 0000 0230 0004 4dde 383e c00c 0002 0001 ...0..M.8>......

0x0050: 0000 ..

12:05:16.443460 IP (tos 0x0, ttl 116, id 3938, offset 0, flags , proto U=

DP (17), length 1500) 148.251.236.205.53 > 31.186.250.x.62935: 49913| 47/0/=

1 lalka.com.ru. A 77.222.56.62, lalka.com.ru.

0x0000: 4500 05dc 0f62 2000 7411 75ac 94fb eccd E....b..t.u.....

0x0010: 1fba fa7f 0035 f5d7 0f9f 7e02 c2f9 8380 .....5....~.....

0x0020: 0001 002f 0000 0001 056c 616c 6b61 0363 .../.....lalka.c

0x0030: 6f6d 0272 7500 00ff 0001 c00c 0001 0001 om.ru...........

0x0040: 0000 0230 0004 4dde 383e c00c 0002 0001 ...0..M.8>......

0x0050: 0000 ..

12:05:16.443470 IP (tos 0x0, ttl 116, id 3939, offset 0, flags , proto U=

DP (17), length 1500) 148.251.236.205.53 > 31.186.250.x.35149: 64176| 47/0/=

1 lalka.com.ru. A 77.222.56.62, lalka.com.ru.

0x0000: 4500 05dc 0f63 2000 7411 75ab 94fb eccd E....c..t.u.....

0x0010: 1fba fa7f 0035 894d 0f9f b2d5 fab0 8380 .....5.M........

0x0020: 0001 002f 0000 0001 056c 616c 6b61 0363 .../.....lalka.c

0x0030: 6f6d 0272 7500 00ff 0001 c00c 0001 0001 om.ru...........

0x0040: 0000 0230 0004 4dde 383e c00c 0002 0001 ...0..M.8>......

0x0050: 0000 ..

(The final octet of our customer's IP address is masked in the above output=

because some automatic parsers become confused when multiple IP addresses =

are included. The value of that octet is "127".)

-John

President

Nuclearfallout, Enterprises, Inc. (NFOservers.com)

(We're sending out so many of these notices, and seeing so many auto-respon=

ses, that we can't go through this email inbox effectively. If you have fol=

low-up questions, please contact us at noc@nfoe.net.)=