Community discussions

MikroTik App
 
User avatar
basd
just joined
Topic Author
Posts: 6
Joined: Mon Sep 14, 2015 11:37 am

Filter DNS any request to our Nameservers

Mon Apr 25, 2016 9:35 pm

I am currently experiancing DDos attacks to our name server.
They are using DNS amplifaction attacks to Request any record from our DNS server.

On the linux name server's i can filter it like this :
$IPTABLES -A INPUT -p udp --dport 53 -m string --hex-string "|00ff|" --algo bm --from 40 -j DROP -m comment --comment 'Block ANY requests'
$IPTABLES -A INPUT -p tcp --dport 53 -m string --hex-string "|00ff|" --algo bm --from 40 -j DROP -m comment --comment 'Block ANY requests'

Can i do the same with in our microtik router ?
We have 2 ccr1036-12G-45 routers.

With kind regards,

Bas van den Dikkenberg
With kind regards,

Bas van den Dikkenberg
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Mon Apr 25, 2016 10:23 pm

/ip firewall filter
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=tcp

Just use your wan interface instead ether1. Looks like you should think about your firewall more deeply, closing this doesn't close other holes you probably have there.

And last thing: using Google you'd have the answer long time ago,especially when the most topics here are about the same again and again .
 
User avatar
basd
just joined
Topic Author
Posts: 6
Joined: Mon Sep 14, 2015 11:37 am

Re:

Mon Apr 25, 2016 10:26 pm

This no solution this way you block all trafic en not only the ANY request .
/ip firewall filter
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=tcp
With kind regards,

Bas van den Dikkenberg
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Filter DNS any request to our Nameservers

Tue Apr 26, 2016 12:37 am

There's L7 matcher, but it does not like null bytes. You could use bare FF, but I'd be affraid there could be some false positives:
/ip firewall layer7-protocol
add name="dns ANY" regexp="\\xff"
/ip firewall filter
add action=log chain=forward dst-port=53 layer7-protocol="dns ANY" protocol=udp
On the other hand, FF should probably not appear in question section, so if you manage to skip "dangerous parts", namely id, it might work fine:
/ip firewall layer7-protocol
add name="dns ANY" regexp="...*\\xff"
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Filter DNS any request to our Nameservers

Tue Apr 26, 2016 1:38 am

The correct solution in Linux is to set bind to only allow recursive queries from your approved networks:

Example in /etc/bind/named.conf.options:
acl "MyDNSclients" {
  192.168.0.0/16;
  x.x.x.0/24;
  x.x.y.0/24;
  x.x.z.0/24;
  x.x.q.0/22;
  etc...
};

options {
 // stuff...
 allow-query {"MyDNSclients"; };
 // more stuff...
};
Simply blocking DNS Amplification destinations in IPtables while you're being used as an amplifier is like trying to kill flies with a hammer after you've forgotten to take out the garbage for too long. You need to close the door and maybe keep blocking streams for a while until the botnets learn that you're now refusing queries.

As for Mikrotik - you really need to just block all sources that you don't want to give DNS service to - use an address list:
/ip firewall address-list
add list=MyDNSclients address=192.168.0.0/16
add list=MyDNSclients address=x.x.x.0/24
etc...
and then in the filters:
/ip firewall filter
....
add chain=input protocol=udp dst-port=53 src-address-list=MyDNSclients action=accept
....
add chain=input action=drop comment="default drop all packets"
(and don't allow DNS queries from any other source)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6329
Joined: Mon Jun 08, 2015 12:09 pm

Re: Filter DNS any request to our Nameservers

Tue Apr 26, 2016 10:53 am

The correct solution in Linux is to set bind to only allow recursive queries from your approved networks:
He probably has an authoritative DNS server for a domain running behind a MikroTik router.
So it should be able to process queries from all over the world.

Due to the slackness of internet providers worldwide in implementing source address filtering (IMHO any ISP
that does not implement BCP 38 should be kicked off the internet!) he is receiving queries to his DNS server
with spoofed address, these result in larger replies that are sent to the faked source address, saturating his
own and the victim's bandwidth.

A stopgap is to disallow "-t ANY" queries because those have the largest amplification in size from request to
reply. However, the only real solution is the extermination of source address spoofing in the internet.
 
User avatar
basd
just joined
Topic Author
Posts: 6
Joined: Mon Sep 14, 2015 11:37 am

Re: Filter DNS any request to our Nameservers

Tue Apr 26, 2016 12:44 pm

Correct we are running authoritative DNS servers.
Your are correct but how to find the source

The correct solution in Linux is to set bind to only allow recursive queries from your approved networks:
He probably has an authoritative DNS server for a domain running behind a MikroTik router.
So it should be able to process queries from all over the world.

Due to the slackness of internet providers worldwide in implementing source address filtering (IMHO any ISP
that does not implement BCP 38 should be kicked off the internet!) he is receiving queries to his DNS server
with spoofed address, these result in larger replies that are sent to the faked source address, saturating his
own and the victim's bandwidth.

A stopgap is to disallow "-t ANY" queries because those have the largest amplification in size from request to
reply. However, the only real solution is the extermination of source address spoofing in the internet.
With kind regards,

Bas van den Dikkenberg
 
pe1chl
Forum Guru
Forum Guru
Posts: 6329
Joined: Mon Jun 08, 2015 12:09 pm

Re: Filter DNS any request to our Nameservers

Tue Apr 26, 2016 3:13 pm

Correct we are running authoritative DNS servers.
Your are correct but how to find the source
Yes that is the big problem, as long as there are lousy internet providers we are stuck with this problem.
I run a /16 network on internet, you can image how much crap it receives.

I am not an expert on MikroTik L7 filters, but I suggest to apply the filter to the DNS server itself for now,
so at least it does not reply. Maybe some expert can suggest a working filter for MikroTik later.

Who is online

Users browsing this forum: l0biz0n and 200 guests