OMG !! Combating DNS flood - botnets, infection, and spam ?

NetworkPro · February 12, 2011, 2:40pm

Hello.

I want to thank omega-00 for his article http://wiki.mikrotik.com/wiki/Conficker-Virus-Blocking http://forum.mikrotik.com/t/script-to-identify-conficker-virus-infected-users/27326/1

On to my current issue:

There is an infection of some sort that makes too much DNS requests for random domains:

So far I am detecting this with these rules:

/ip firewall mangle
add action=add-dst-to-address-list address-list=DNS_Junk address-list-timeout=1w chain=postrouting comment=“Catch the DNS Junk senders and save to address-list for later spanking” content=“\81\83” disabled=no
dst-address-list=DNS_Junk_stage5 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage5 address-list-timeout=4s chain=postrouting comment=“” content=“\81\83” dst-address-list=DNS_Junk_stage4 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage4 address-list-timeout=4s chain=postrouting comment=“” content=“\81\83” dst-address-list=DNS_Junk_stage3 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage3 address-list-timeout=4s chain=postrouting comment=“” content=“\81\83” dst-address-list=DNS_Junk_stage2 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage2 address-list-timeout=5s chain=postrouting comment=“” content=“\81\83” dst-address-list=DNS_Junk_stage1 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage1 address-list-timeout=10s chain=postrouting comment=“” content=“\81\83” dst-address-list=!DNS_Junk protocol=udp src-port=53

These rules make an address-list for DNS offenders that receive too many replies for not-found DNS entries in a period of time.

Someone has any idea

How to protect our DNS servers and MikroTik routers from this DNS flooding? Cache is getting fileld up with N entries.
What is this virus and how to block the traffic of the virus? How to combat it?

Thank you!!!

fewi · February 12, 2011, 5:31pm

depending on the DNS server uses you cab set aggressive timeouts on misses
block the user from being able to reach the DNS servers in the first place
it’s very likely a botnet infected machine looking for a CC (command and control) server. Clients have built in rules to build DNA names to query for until they find a CC. That way the bot herder can rapidly rotate the CCs and the bots follow after some time

NetworkPro · February 25, 2011, 6:48pm

Thank you fewi your answer is awesome.

So far we have not found a cheap way to deal with this so right now we are supporting networks to serve botnets hurray

P.S. I modified my script above to save CPU.

mves · April 28, 2011, 2:54pm

Hi… I’m testing this and so far it’s doing fine. It kicked out flooding with N entries from cache and also listing origin of this flood and IP destination.

/ip firewall nat
add action=add-src-to-address-list address-list=DNS address-list-timeout=1d chain=dstnat comment=\
    "DNS Flood - Test" disabled=no dst-address-list=!Server dst-port=53 in-interface=xxx protocol=udp
add action=add-dst-to-address-list address-list=DNS-dst address-list-timeout=1d chain=dstnat comment="" \
    disabled=no dst-address-list=!Server dst-port=53 in-interface=xxx protocol=udp
add action=redirect chain=dstnat comment="" disabled=no dst-address-list=!Server dst-port=53 in-interface=\
    xxx protocol=udp to-ports=2

/ip firewall address-list
add address=xxx.xxx.xxx.xxx comment="" disabled=no list=Server
add address=xxx.xxx.xxx.xxx comment="" disabled=no list=Server
add address=xxx.xxx.xxx.xxx comment="" disabled=no list=Server
add address=xxx.xxx.xxx.xxx comment="" disabled=no list=Server

Server list are IP addresses of allowed DNS servers… 4 entries in my case. Also, scheduled 15 minutes flushing DNS cache is additional helping. Change xxx to fit your settings.

Cupholder · April 28, 2011, 7:37pm

It might just be a user starting up their Google Chrome web browser. If so, nothing to worry about: http://isc.sans.edu/diary.html?storyid=10312

mves · April 28, 2011, 9:40pm

O yes? That could really be true but that actually does not helping with the fact that this thing can actually kill DNS cache on mikrotik. From one source, ok, just set flushing cache every 15 minutes and you’ll probably won’t even notice it. If there is more than one source for that and constant flooding with this… you’re in a problem.

NetworkPro · April 29, 2011, 11:31am

Thanks for sharing, mves, but clearing cache slows down DNS resolving.

And I don’t see how you catch the offenders with those rules.

mves · April 29, 2011, 2:31pm

O, but it does catching them. At least, not directly. This botnets usually using different DNS server than your default so I killed everything that’s not going through designated DNS. I found couple of users with this issue and this thing successfully removed invalid DNS attempts and also removed that problem. Also, allow remote requests for DNS cache is turned on. Everything else is blocked and that indirectly included flooding problem. And, I just blast that lines in and it worked… at least for me and my network problems.

And clearing cache… I don’t know, you’re probably right but this helped me on occasional router freeze during DNS flooding. Probably issues with older ROS on some of the routers.

NetworkPro · April 29, 2011, 3:27pm

Thanks for clarifying.

I imagine the following working best in my case:

catch infected hosts with my rules
block their Internet access and send their web requests to my company’s HTTPS site with valid verifiable certificate
on that page - tell them to run a certain Anti-Virus solution that I know for sure would clean the infection, like Microsoft Malicious Software Removal Tool

But how can I be sure if a certain simple Anti-Virus tool would clean it?

mves · April 29, 2011, 4:18pm

You can’t know… and usually this stuff can be removed only by reinstalling windows and in extreme cases you have to do a low level format of all hard drives. Microsoft Malicious Software Removal Tool usually crash windows because it delete infected files instead of fixing them. Well, at least, that used to be with that “tool”. On the other hand, I find that Kaspersky is quite helpful in solving virus outbreaks. I also tried Avast as a free solution.

NetworkPro · April 29, 2011, 4:26pm

Microsoft Malicious Software Removal Tool cleaned an infected wininit.exe for me once. How about that hmm ? WITHOUT THE NEED TO REBOOT

mves · April 29, 2011, 4:44pm

Niceee… and how about svchost.exe, rundll32.exe, services.exe or maybe winlogon.exe or explorer.exe?
Safest way for your network and for your customer is to recommend windows reinstall by someone who knows how to do it (since who ever got a hands on a windows installation disk becomes a self named “professional”).