{"id":2316,"date":"2015-10-14T21:04:34","date_gmt":"2015-10-14T21:04:34","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=2316"},"modified":"2020-05-06T10:30:08","modified_gmt":"2020-05-06T17:30:08","slug":"how-dangerous-can-an-open-dns-resolver-be-part-iii","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/community\/how-dangerous-can-an-open-dns-resolver-be-part-iii\/","title":{"rendered":"How Dangerous Can An Open DNS Resolver Be? Part III"},"content":{"rendered":"

\"\"<\/p>\n

The beginning of the article you can read in\u00a0Part I<\/a>\u00a0and\u00a0Part II<\/a>.<\/em><\/p>\n

Results<\/strong><\/span><\/p>\n

Just for the first week my server received 416k requests for 63 domains from 1169 IPs. \u00a0During 5 months (3 months it was open) it received about 46 millions requests. Below you can see the graph for the first week.<\/p>\n

\"\"<\/p>\n

How fast will my DNS server\u00a0receive first recursive query<\/span><\/strong><\/h2>\n

My DNS received first recursive request from China only after 1 hour 20 minutes<\/strong>\u00a0(domain:\u00a0www.google.it).<\/a>\u00a0I\u2019ve checked log-files and found that my server periodically received such recursive requests before.\u00a0So attackers periodically scan networks and search for new vulnerable devices<\/em><\/strong>.<\/p>\n

How fast will it receive inappropriate requests<\/strong><\/span><\/h2>\n

First DNS-amplification attack was fixed after 1 day<\/strong>\u00a0(domain: webpanel.sk, 300 requests).<\/p>\n

Measure medium and maximum QPS under attack<\/span><\/strong><\/h2>\n

Maximum QPS is limited only by server capacity. The maximum QPS was 3080 during the study. All requests were sent with amplification. So at this moment my server utilized about 96Mb\/s (3080X4Kb =96Mb\/s).<\/p>\n

The graph, which you can see below, was produced in my analytical system. It shows\u00a0maximum QPS.<\/p>\n

\"\"<\/p>\n

Find victims and infected networks<\/span><\/strong><\/h2>\n

I\u2019m sure that 99% of requests were spoofed and used for DrDoS attacks. Some domains (doleta.gov, energystar.gov, ebay.de) were used for attacks and were under attack at the same time . Below you can see details about attacked countries and cities. Information about countries and cities was extracted from MaxMind IP GEO database.<\/p>\n

\"\"<\/p>\n

In table below you can find details about attacked companies. This information was extracted from Whois service and RIPE database.<\/p>\n

The most interesting rows in the table are \u201cTime Warner Cable Internet LLC\u201d, \u201cAkamai Technologies, Inc.\u201d and \u201cAT&T Internet Services\u201d. The quantity of the requests is relatively small but the quantity of the IP-addresses is very high. It can mean that the networks of these organizations were infected with a malware or\/and a botnet.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Country<\/td>\nCompany<\/td>\nQ-ty requests<\/td>\nQ-ty\u00a0IPs<\/td>\n<\/tr>\n<\/thead>\n
United States<\/td>\nSoftLayer Technologies Inc.<\/td>\n3965202<\/td>\n36<\/td>\n<\/tr>\n
United States<\/td>\nSingleHop, Inc.<\/td>\n2617987<\/td>\n27<\/td>\n<\/tr>\n
United States<\/td>\nPSINet, Inc.<\/td>\n1994461<\/td>\n22<\/td>\n<\/tr>\n
France<\/td>\nOVH SAS<\/td>\n1051080<\/td>\n304<\/td>\n<\/tr>\n
United Kingdom<\/td>\nHosting Services Inc<\/td>\n938367<\/td>\n4<\/td>\n<\/tr>\n
Germany<\/td>\n1&1 Internet AG<\/td>\n761020<\/td>\n12<\/td>\n<\/tr>\n
United States<\/td>\nPrivateSystems Networks<\/td>\n748641<\/td>\n4<\/td>\n<\/tr>\n
Russian Federation<\/td>\nOJSC Rostelecom Ticket 09-39331, RISS 15440, UrF<\/td>\n687028<\/td>\n1<\/td>\n<\/tr>\n
United States<\/td>\nTime Warner Cable Internet LLC<\/td>\n671211<\/td>\n1568<\/td>\n<\/tr>\n
Canada<\/td>\nOVH Hosting, Inc.<\/td>\n592920<\/td>\n213<\/td>\n<\/tr>\n
United States<\/td>\nAkamai Technologies, Inc.<\/td>\n176327<\/td>\n4410<\/td>\n<\/tr>\n
China<\/td>\nChina Telecom<\/td>\n51565<\/td>\n207<\/td>\n<\/tr>\n
United States<\/td>\nAT&T Internet Services<\/td>\n27502<\/td>\n854<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/h2>\n

Find out domains and requests which are used for attacks<\/span><\/strong><\/h2>\n

Attackers used about 15 different domains. So it is relatively simple to identify and block such domains. Information about domains and requests are available in table below.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Domain<\/td>\nQuery<\/td>\nFlags<\/td>\nQ-ty requests<\/td>\n<\/tr>\n<\/thead>\n
webpanel.sk<\/td>\nANY<\/td>\n+E<\/td>\n14962032<\/td>\n<\/tr>\n
oggr.ru<\/td>\nANY<\/td>\n+E<\/td>\n8300693<\/td>\n<\/tr>\n
energystar.gov<\/td>\nANY<\/td>\n+E<\/td>\n6676350<\/td>\n<\/tr>\n
doleta.gov<\/td>\nANY<\/td>\n+E<\/td>\n6326853<\/td>\n<\/tr>\n
067.cz<\/td>\nANY<\/td>\n+E<\/td>\n2463053<\/td>\n<\/tr>\n
sema.cz<\/td>\nANY<\/td>\n+E<\/td>\n1251206<\/td>\n<\/tr>\n
GUESSINFOSYS.COM<\/td>\nANY<\/td>\n+E<\/td>\n690320<\/td>\n<\/tr>\n
jerusalem.netfirms.com<\/td>\nANY<\/td>\n+E<\/td>\n587534<\/td>\n<\/tr>\n
paypal.de<\/td>\nANY<\/td>\n+E<\/td>\n454756<\/td>\n<\/tr>\n
nlhosting.nl<\/td>\nANY<\/td>\n+E<\/td>\n414113<\/td>\n<\/tr>\n
freeinfosys.com<\/td>\nANY<\/td>\n+E<\/td>\n352233<\/td>\n<\/tr>\n
krasti.us<\/td>\nANY<\/td>\n+E<\/td>\n333806<\/td>\n<\/tr>\n
doc.gov<\/td>\nANY<\/td>\n+E<\/td>\n259248<\/td>\n<\/tr>\n
svist21.cz<\/td>\nANY<\/td>\n+E<\/td>\n231946<\/td>\n<\/tr>\n
wradish.com<\/td>\nANY<\/td>\n+E<\/td>\n117294<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/h2>\n

Try to identify types of the attacks<\/span><\/strong><\/h2>\n

During the study I identified DrDoS, Random subdomain\/Phantom domain attack, NXDOMAIN attack, protocol anomalies. A graph below clearly shows an amplification attack. Blue line is an incoming traffic and yellow is an outgoing traffic.<\/p>\n

\"\"<\/p>\n

For DrDoS attacks \u201cANY\u201d request with EDNS was used. Below you can see details about request types and used flags.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Request<\/td>\nFlags<\/td>\nQ-ty requests<\/td>\n<\/tr>\n<\/thead>\n
ANY<\/td>\n+E<\/td>\n43500439<\/td>\n<\/tr>\n
A<\/td>\n-ED<\/td>\n17339<\/td>\n<\/tr>\n
ANY<\/td>\n+<\/td>\n11932<\/td>\n<\/tr>\n
A<\/td>\n\u2013<\/td>\n9853<\/td>\n<\/tr>\n
A<\/td>\n-EDC<\/td>\n8956<\/td>\n<\/tr>\n
AAAA<\/td>\n-EDC<\/td>\n4749<\/td>\n<\/tr>\n
AAAA<\/td>\n-ED<\/td>\n4467<\/td>\n<\/tr>\n
ANY<\/td>\n\u2013<\/td>\n2289<\/td>\n<\/tr>\n
A<\/td>\n+E<\/td>\n1899<\/td>\n<\/tr>\n
RRSIG<\/td>\n+E<\/td>\n1124<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

These requests are related to Random subdomain attack (on Caching server) and NXDOMAIN attack on Authoritative (energystar.gov, doleta.gov):<\/p>\n

    \n
  • energystar.gov;<\/li>\n
  • doleta.gov;<\/li>\n
  • webpanel.sk;<\/li>\n
  • cnklipaaaaesh0000claaabbaaabfgoa;<\/li>\n
  • 2d852aba-7d5f-11e4-b763-d89d67232680.ipvm.biz.<\/li>\n<\/ul>\n

    How long my server will be used when I turn off my open resolver<\/span><\/strong><\/h2>\n

    When I turned off open resolver it received inappropriate requests during next 1.5 months.<\/p>\n

    Conclusions:<\/p>\n

      \n
    • Any DNS server is a cool tool for analyzing users and malware behavior<\/li>\n
    • Permanent or periodical analysis of DNS-logs can improve quality of DNS service<\/li>\n
    • A lot of requests\u00a0\u00abANY +E\u00bb shows that your server is under an attack\/participate in an attack<\/li>\n
    • Small quantity of domains may be used for attacks. You can block attacks with blacklists or DNS Firewall and decrease the load on DNS Servers and network utilization.<\/li>\n<\/ul>\n

      And in the end of the post I want to share my short video about DNS attacks. Have fun!<\/p>\n