Hi Colegas,
tambien encontre esto sobre DDOS:
Securing DNS against DDOS amplification attacks
When you run a DNS server on your dedicated server, it will be the
target DNS amplification attacks. To prevent these attacks from
succeeding and using up your bandwidth (which you will pay for), you
need to configure your DNS server not to answer recursive queries.
Check if your server is vulnerable
You can send a DNS query to your server, e.g.
"thatserver.dedicated.co.za" using dig or nslookup.
dig @thatserver.dedicated.co.za www.isc.org
Alternatively:
nslookup
> server thatserver.dedicated.co.za
> isc.org
Non-authoritative answer:
Name: isc.org
Address: 149.20.64.42
If you receive an answer that includes an answer of the IP address of
www.isc.org, then your server is vulnerable, because it did the work of
finding out the answer and presenting it to you.
Simple solutions
Often enough, if you are running a DNS server, you probably don't need
it. Turn it off: stop the service, remove the software.
You only need a DNS server on your system for one of the following purposes:
Your DNS server is configured with zone files for domains that you
are hosting, and you have asked a DNS registrar (e.g. enom.com) to point
domains to your DNS server. You will recognise these terms if you have
done this. You do not need DNS recursion for this function.
You are unhappy with the quality of the DNS resolver you are using
and would rather implement this function yourself. If this is why you
have a DNS server, you do not need to answer external queries. You can
protect the server with a firewall.
You are providing zone files for a private domain, e.g. as some
part of Active Directory. In this case you can limit your responses to
only those systems that have an interest in that private domain, i.e.
members of the Active Directory system.
You are competing with OpenDNS and Google's DNS recursor. If you
are doing this, you must implement appropriate rate limits, which is an
exercise to the reader.
Secure named (bind) on Linux
Add this to the "options" section of /etc/named.conf :
recursion no;
additional-from-auth no;
additional-from-cache no;
Then restart named so that it will use the new secure options:
/etc/init.d/named restart
For detailed information see
http://www.cymru.com/Documents/secure-bind-template.html
Secure Microsoft DNS server
If you have installed or enabled Exchange then you have implicitly
turned on DNS, which by default runs as a recursive service and can be
horribly attacked. Usually you can just firewall the DNS service.
Run this command:
dnscmd . /Config /NoRecursion 1
Or follow this procedure:
Start | Administrative Tools | DNS (DNS manager)
Right click DNS server |
Properties |
Advanced |
Server options |
Disable recursion -> Yes, OK
Unfortunately, it is not possible to prevent the Microsoft DNS server
from replying with cached values, so your non-recursive DNS server will
provide a small amount of useful traffic amplification for attackers.
Where possible, add a firewall rule that blocks incoming traffic from
unauthorised clients towards port 53/UDP (and port 53/TCP for good measure).
iptables rules for Linux
If your DNS server is used only by the machine on which you are running
it, you can block external queries as follows:
iptables -A INPUT -p udp -m udp --dport 53 -i ! lo -j DROP
These iptables firewall rules will to prohibit excessive ANY queries to
a non-recursive DNS:
iptables -A INPUT -p udp -m udp --dport 53 \
-m string --hex-string "|0000ff0001|" --algo bm --from 48 --to 65535 \
-m recent --set --name dnsanyquery --rsource
iptables -A INPUT -p udp -m udp --dport 53 \
-m string --hex-string "|0000ff0001|" --algo bm --from 48 --to 65535 \
-m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery
--rsource \
-j DROP
If you for some reason have to run an open DNS resolver, you can limit
rate limit the rate at which you will accept queries:
iptables -A INPUT -p udp --dport 53 -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
If you know what the above means you can install these rules in your system.
Reference information
You can read more about this here:
http://www.publicsafety.gc.ca/prg/em/ccirc/2009/av09-011-eng.aspx -
securing your server
http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack -
what the attacker is trying to do
http://technet.microsoft.com/en-us/library/cc771738.aspx - fixing
Microsoft DNS
http://www.cymru.com/Documents/secure-bind-template.html - fixing
Linux DNS
iptables
--
Saludos,
Lic. Roberto Estupiñán Pérez
Administrador de Red
EICMA UEB Camagüey
Teléfonos 286139 - 286117
--
Este mensaje ha sido analizado por MailScanner
en busca de virus y otros contenidos peligrosos,
y se considera que está limpio.
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL:
<http://listas.jovenclub.cu/pipermail/gutl-l/attachments/20150218/f30cfbd7/attachment.html>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: gráficos1
Type: image/png
Size: 5520 bytes
Desc: no disponible
URL:
<http://listas.jovenclub.cu/pipermail/gutl-l/attachments/20150218/f30cfbd7/attachment.png>
______________________________________________________________________
Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba.
Gutl-l@jovenclub.cu
https://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l
