Stop Root Query DNS Amplification Attacks Using iptables

How to Stop Root Query DNS Amplification Attacks

Problem Description:

Your DNS server is being exploited by spoofed UDP packets requesting name servers for "." (Root Servers). It may be one of many servers being used to create a distributed denial of service attack on another host. Because UDP is connectionless, the sending host ip cannot be verified legitmate as there is no three way handshake (SYN, SYN ACK, ACK); therefore blocking this IP address of the host is only blocking a single address which not the actual source. The source IP address (target host) may also change which will circumvent a host blocking rule. Packets may range from 1 sec interval to network flood volume.

Network Detail:

A tcpdump will show repetitive queries to . (Root Servers) and the response from bind.

#tcpdump -nnti eth1 port 53

IP 10.0.0.1.44235 > 10.0.0.0.53: 32563+ NS? . (17)
IP 10.0.0.0.53 > 10.0.0.1.44235: 41305- 0/13/0 (228)
IP 10.0.0.1.39770 > 10.0.0.0.53: 32563+ NS? . (17)
IP 10.0.0.0.53 > 10.0.0.1.39770: 41305- 0/13/0 (228)
IP 10.0.0.1.47158 > 10.0.0.0.53: 32563+ NS? . (17)
IP 10.0.0.0.53 > 10.0.0.1.47158: 41305- 0/13/0 (228)
IP 10.0.0.1.31776 > 10.0.0.0.53: 32563+ NS? . (17)
IP 10.0.0.0.53 > 10.0.0.1.31776: 41305- 0/13/0 (228)
...

Solution: iptables can implement the "recent" module which can track recently seen IP addresses. Using this recent list we can evaluate if the source IP address exceeds a resonable rate and if so DROP the packet. The rule is quite flexible in that if the source IP address changes the rule adapts and as requests diminish the rule becomes inert. In my rules if you have made 20 lookups within 20 seconds future packets are dropped. You can still observe the 17 byte request, but your host is no longer participating in the DDoS.

#iptables -A INPUT -i eth1 -p udp --dport 53 -m recent --set
#iptables -A INPUT -i eth1 -p udp --dport 53 -m recent --update --seconds 20 --hitcount 20 -j DROP

Also you may add these lines to named.conf in the public view to prevent bind from responding with root referrals

view public {
    recursion no;
    additional-from-cache no;
    include "/var/named/named.master.zones";
};

Caveats:

for the duration of the attack this rule will deny valid DNS requests from the victim. Unless your name server services a large portion of the internet or the victim host relies on your server primarily this is likely inconsequential.