Filter DNS any request to our Nameservers

basd · April 25, 2016, 6:35pm

I am currently experiancing DDos attacks to our name server.
They are using DNS amplifaction attacks to Request any record from our DNS server.

On the linux name server’s i can filter it like this :
$IPTABLES -A INPUT -p udp --dport 53 -m string --hex-string “|00ff|” --algo bm --from 40 -j DROP -m comment --comment ‘Block ANY requests’
$IPTABLES -A INPUT -p tcp --dport 53 -m string --hex-string “|00ff|” --algo bm --from 40 -j DROP -m comment --comment ‘Block ANY requests’

Can i do the same with in our microtik router ?
We have 2 ccr1036-12G-45 routers.

With kind regards,

Bas van den Dikkenberg

jarda · April 25, 2016, 7:23pm

/ip firewall filter
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=tcp

Just use your wan interface instead ether1. Looks like you should think about your firewall more deeply, closing this doesn’t close other holes you probably have there.

And last thing: using Google you’d have the answer long time ago,especially when the most topics here are about the same again and again .

basd · April 25, 2016, 7:26pm

This no solution this way you block all trafic en not only the ANY request .

Sob · April 25, 2016, 9:37pm

There’s L7 matcher, but it does not like null bytes. You could use bare FF, but I’d be affraid there could be some false positives:

/ip firewall layer7-protocol
add name="dns ANY" regexp="\\xff"
/ip firewall filter
add action=log chain=forward dst-port=53 layer7-protocol="dns ANY" protocol=udp

On the other hand, FF should probably not appear in question section, so if you manage to skip “dangerous parts”, namely id, it might work fine:

/ip firewall layer7-protocol
add name="dns ANY" regexp="...*\\xff"

ZeroByte · April 25, 2016, 10:38pm

The correct solution in Linux is to set bind to only allow recursive queries from your approved networks:

Example in /etc/bind/named.conf.options:

acl "MyDNSclients" {
  192.168.0.0/16;
  x.x.x.0/24;
  x.x.y.0/24;
  x.x.z.0/24;
  x.x.q.0/22;
  etc...
};

options {
 // stuff...
 allow-query {"MyDNSclients"; };
 // more stuff...
};

Simply blocking DNS Amplification destinations in IPtables while you’re being used as an amplifier is like trying to kill flies with a hammer after you’ve forgotten to take out the garbage for too long. You need to close the door and maybe keep blocking streams for a while until the botnets learn that you’re now refusing queries.

As for Mikrotik - you really need to just block all sources that you don’t want to give DNS service to - use an address list:

/ip firewall address-list
add list=MyDNSclients address=192.168.0.0/16
add list=MyDNSclients address=x.x.x.0/24
etc...
and then in the filters:
/ip firewall filter
....
add chain=input protocol=udp dst-port=53 src-address-list=MyDNSclients action=accept
....
add chain=input action=drop comment="default drop all packets"
(and don't allow DNS queries from any other source)

pe1chl · April 26, 2016, 7:53am

He probably has an authoritative DNS server for a domain running behind a MikroTik router.
So it should be able to process queries from all over the world.

Due to the slackness of internet providers worldwide in implementing source address filtering (IMHO any ISP
that does not implement BCP 38 should be kicked off the internet!) he is receiving queries to his DNS server
with spoofed address, these result in larger replies that are sent to the faked source address, saturating his
own and the victim’s bandwidth.

A stopgap is to disallow “-t ANY” queries because those have the largest amplification in size from request to
reply. However, the only real solution is the extermination of source address spoofing in the internet.

basd · April 26, 2016, 9:44am

Correct we are running authoritative DNS servers.
Your are correct but how to find the source

pe1chl:

ZeroByte:

The correct solution in Linux is to set bind to only allow recursive queries from your approved networks:

He probably has an authoritative DNS server for a domain running behind a MikroTik router.
So it should be able to process queries from all over the world.

Due to the slackness of internet providers worldwide in implementing source address filtering (IMHO any ISP
that does not implement BCP 38 should be kicked off the internet!) he is receiving queries to his DNS server
with spoofed address, these result in larger replies that are sent to the faked source address, saturating his
own and the victim’s bandwidth.

A stopgap is to disallow “-t ANY” queries because those have the largest amplification in size from request to
reply. However, the only real solution is the extermination of source address spoofing in the internet.

pe1chl · April 26, 2016, 12:13pm

Yes that is the big problem, as long as there are lousy internet providers we are stuck with this problem.
I run a /16 network on internet, you can image how much crap it receives.

I am not an expert on MikroTik L7 filters, but I suggest to apply the filter to the DNS server itself for now,
so at least it does not reply. Maybe some expert can suggest a working filter for MikroTik later.