Wednesday, April 24, 2013

how to identifiy DNS servers max responses limits

In this short blog, we will look at max DNS size limits. In a DNS reflection attack, the main goal of the attacker is to find a DNS server that's


  1. open resolvers
  2. has a low response limit ( EDNS )
  3. deploys no rate limits


This way the  attacker can spoof the target address against the open or even to degree a  closed DNS server and have that server send it's  replies to the victim network/host. This attack is a double whammy ,  since it floods the  open/closed dns server with a  bogus request  on behalf of the victim ip_address that we spoof.

Here's a way to determine the dns server max limits;

dig +short rs.dns-oarc.net txt 
 
https://www.dns-oarc.net/oarc/services/replysizetest 

So let's us the google public servers located at 8.8.4.4 and 8.8.8.8
 
 
sh-3.2$ dig +short rs.dns-oarc.net txt  8.8.4.4
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"x.x.x.177 DNS reply size limit is at least 3843"
"Tested at 2013-04-24 21:49:25 UTC"
"x.x.x.177 sent EDNS buffer size 4096"

 
and

sh-3.2$ dig +short rs.dns-oarc.net txt  8.8.8.8
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"Tested at 2013-04-24 21:49:25 UTC"
"x.x.x.177 sent EDNS buffer size 4096"
"x.x.x.177 DNS reply size limit is at least 3843"
sh-3.2$ 
 
 
So if the server support EDNS, it has no 512 byte limits.  So these attacks 
are low overhead for the attacker.

A simple dns query of 80bytes could generate a response of 3K or more and directed to a remote victim. This is why it's crucical to close dns servers and to rate limit the dns queries for repeated request.

To identify this attack it's quite simple and obvious, you will see numerous  requests for the same  RR and typically a hughe record type like that of a TXT or SPF.


You can measure the  size of the reply by using dig or host.

i.e
 sh-3.2$ host -v -t txt iana.org
Trying "iana.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11929
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;iana.org.            IN    TXT

;; ANSWER SECTION:
iana.org.        59    IN    TXT    "$Id: iana.org 1516 2013-04-18 19:21:42Z davids $"

Received 87 bytes from x.x.x.62#53 in 22 ms




To mitigate and protect form these attacks you should do all of the below;



  • http://tools.ietf.org/html/bcp38
  • if your resolver has no rate-limiting capacity , you can typically do this at the firewall 
  • rate limit DNS response at the DNS server ( bind9  rate-limit )
  • deploy IPS/IDS for alert on DNS floods
  • limit the DNS server max reply size by limiting the size of the RR that you use ( e.g do you really need a 3K+ byte RR ? )
  • deploy DNSSEC  
  • setup inter resolver only, and filter traffic inbound to your clients
  • isolate public and enterprise DNS servers
     
Using common sense in monitoring your dns server, will go a long way to determine if your being abused. If you see the same request over and over and for large resources records, stop and mitigate it.

This message is approved by Ken Felix :)



Ken Felix 
Freelance Network/Security Engineer
kfelix -at- hyperfeed -----dot---- com

close open dns servers 

No comments:

Post a Comment