Hi folks,

I’m dealing with a DDoS attack on one of my DNS servers. The attackers are using a broad range patterns in sending the queries. For example:

• • 5 queries every 5 seconds for about 30s from one IP, or
    
    
    
• • 10 queries every 5 seconds for about 1 minute from one IP, or
    
    
    
• • 1 query per 1 second for about 20s from one IP, or
    
    
    
• • around 30 queries per minute with a little randomization in the query distribution for this time frame

My issue comes when I try to mitigate this attack, because they are changing the traffic pattern very often. If I manage to block one pattern, they come with another one. I have over 1000 IPs in a block list.

I modified the patterns as I noticed their changes in traffic but if I want to catch all the patterns I see, I might get rid of the legit traffic too. Can I concatenate many dst-limit patterns? I’m not sure of the outcome yet. Right now, for the latest pattern my filters are:
/ip firewall filter
add action=drop chain=forward comment=“drop from all in dns-flood address list” dst-port=53 protocol=udp src-address-list=dns-flood
add chain=forward comment=“add src IP to dns-flood address list” dst-limit=1,10,src-address/20s dst-port=53 protocol=udp
add action=add-src-to-address-list address-list=dns-flood address-list-timeout=23h59m59s chain=forward dst-port=53 protocol=udpI cannot use the packet rate limit because it will drop the legit requests too since the majority of the traffic is from attackers.

Do you have any hints?

Can the DNS queries be inspected on the query content? I observe the queries are for a limited number of domains every time, so this would be the easiest way of blocking THIS DDoS attack.

Authoritative name server? Or recursive name server? Doing both on one host?

If you’re doing recursion with this server, do you allow recursive queries from not your IPs? If so, tightening that up may help. That probably won’t be a RouterOS fix though.

Do you have query logs? How many combined DoS queries per second are you dealing with?

Hi lambert,

it’s authoritative, recursion is disabled. This is a fairly recent DNS server.

I get 30queries/s 99.9% from attackers, but a lot of different IPs. From a single source IP I get around 30queries/min but the distribution varies and they have a very large pool. With one pattern only I collected around 1k IPs for a 24h span.

I am not sure I would classify 30 queries per second as a DoS attack. I just took a quick sample on one of my three name servers and am seeing 95.37 queries per second. I am completely unconcerned about the load on a Pentium II at that level. We host a few hundred, fairly obscure, mostly local interest, domains. We have an authoritative view and a recursive view due to legacy configurations. The recursive view is only accessible by users on our physical network. 30 q/s sounds like background noise, to me.

As long as they can’t use your name servers as part of a DDoS against some other host, and the query traffic isn’t causing a significant impact on your uplink connection, I wouldn’t worry about it. You may have different priorities than I have. Some windmills aren’t worth doing battle against.

If you want to fight this, I would add a whitelist for my IP space, and possibly the space of ISPs in the local area, and some free-email hosting site’s name servers. Then you can set your query rate limits to fire at some rate 3 or 4 times higher than the highest legitimate query source you can identify. Maybe a big free-email hosting site’s name servers would be your fastest legitimate query source? It depends on the business being done by the owners of the domains you are hosting.

With botnets having millions of hosts, they can pound you into the dirt with query rates per IP, or /24 of IPs, below 2 q/s.

If you shorten your dns-flood address-list-timeout, it will minimize the amount of harm caused by a false positive match.

I would not worry about particular query patterns, unless you want to do the filtering on your name server based on a process watching the query log.

The last DNS query rate issue I worried about was a botnet infected machine on my network which was looking for the current command and control servers’ IP address(es). The botnet had been taken down and there were no answers for it to receive. It was doing 2Mbps of queries, limited to that only because that was the speed of my customer’s connection. My name servers were not having issues, I just noticed the higher than usual bandwidth in the MRTG graphs.

Hi lambert,

I agree it’s not a concern… YET. My goal was to find a solution to mitigate the DNS flood hoping that it will help in case of a more agressive DNS flood rate.

Thanks for sharing your experience.

Hello Folks!

A bit late answering, I have been facing DDOS attacks on DNS for second time now and one SIP attack to some time ago.

We have authorized dns behind MT firewall. The dns is also recursive and caching for local networks. Yes I know, you should have separate and it will be so when there is time to fix it. Meanwhile it is a mixed dns with settings to cope with the situation as best as possible. Also dns views could have been used for it.

I mitigated the DDOS DNS attack by doing the following in the MT device:

/ip firewall filter:
0 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port-scanners address-list-timeout=1d

1 ;;; Port Scanners
chain=input action=drop src-address-list=port-scanners

2 ;;; DNS spammer
chain=forward action=drop src-address-list=WasADNSSpammer

/ip firewall nat:
16 ;;; List DNS spammers
chain=dstnat action=add-src-to-address-list to-addresses=172.16.0.10 to-ports=53 protocol=udp dst-address=X.X.X.X
src-address-list=!niceones address-list=WasADNSSpammer address-list-timeout=2w in-interface=ether1 dst-port=53 limit=1,5

17 ;;; List DNS spammers
chain=dstnat action=add-src-to-address-list to-addresses=172.16.0.10 to-ports=53 protocol=tcp dst-address=X.X.X.X
src-address-list=!niceones address-list=WasADNSSpammer address-list-timeout=2w in-interface=ether1 dst-port=53 limit=1,5

18 ;;; Portforward to local server
chain=dstnat action=dst-nat to-addresses=172.16.0.10 to-ports=53 protocol=udp dst-address=X.X.X.X in-interface=ether1 dst-port=53

19 ;;; Portforward to local server
chain=dstnat action=dst-nat to-addresses=172.16.0.10 protocol=tcp dst-address=X.X.X.X in-interface=ether1 dst-port=53

On the DNS behind MT firewall I did this:
/etc/named.conf:

// named.conf begin

Access lists

acl clients {
localnets;
192.168/16;
172.16/16;
10/16;
127.0.0.1/32;
};

options {
// Dont expose version
version "unknown";
listen-on port 53 { any; };

// Protect the dns, it is ansering recusrive and caching for internal networks only.
allow-recursion { "clients"; };
allow-query-cache { "clients"; };

// Also we limit number of queries per second
rate-limit {
responses-per-second 5;
window 5;
};

// Standard stuff
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.zones";
// named.conf end

The two first includes is some standard files that comes with the package of DNS.
In the /etc/named.zone i had to tell who is allowed to query what.

For zones only available to internal networks:
allow-query { clients; };

And for zones publically available which we are authorize only for external queries:
allow-query { any; };

That worked very well, the MT devices copes the DDNS attack and portscans, and register sources and blocks them for some time.
The DNS itself does only answer queries on authorative names (our owned domains) and nothing else, exept if you are on inside networks.

The generated address list over blocked dns:es is taken out from the MT device down in a unix server for further processing, that say, it grabs out who owns the IP addresses, and then informs the owner about the problem they have. So far a success story.
It has been succssfully running for some years here.

Improvments are welcome.

Hello Folks!

After some time testrun, the address list become large, also making some dns tests makes the dns tester ip address to be dropped so maybe " limit=1,5 " is a to aggressive setting for dropping bad guys.

I did play with some other settings like 10 packets per second and some else settings like limit=1,15 and 10,15 but the effect was the same, still nice ones are dropped. Maybe it ie sessesary to make some more advanced “filter” for mikrotik in from to DNS servers.

Anyone who have any ideas how to do that ?