February 5, 2010 at 10:48DNS DDoS Blocking with fail2ban
Are you tired of the heap of messages from logcheck about the denial of service for requests to named? Below it will be written how to limit yourself from DDoS to named using the fail2ban package.
The events in question are as follows:
However, it should be noted that in most cases, the source IP address can be falsified. Each node in the botnet can send one or more packets per second to the DNS server. The server, in turn, responds with an error message in the request to a falsified address, causing a denial of service at the source.
Tired of using your DNS server as a weapon in other people's DDoS attacks? Try installing the fail2ban package (Debian GNU / Linux). The original project website is www.fail2ban.org .
First install the fail2ban package. By default, only attacks on the ssh service will be monitored and blocked. This is a good idea. Other services can be controlled in the fail2ban package, moreover, you can write handlers and filters for it yourself, but a discussion of these issues is beyond the scope of this article.
After the package is installed, check the contents of the /etc/fail2ban/jail.conf file.
At the end of the file we find the description that needs to be done in the named server settings so that fail2ban can normally handle events for the DNS service.
First, create a directory in which the DNS server log will be saved:
After that, edit /etc/bind/named.conf.local (you may have it in another place. The specified name is relevant for the bind9 package in Debian) adding the following lines:
We restart Bind:
Make sure that the /var/log/named/security.log log is created and populated:
Ok, now we’ll make changes to the fail2ban configuration. We open /etc/fail2ban/jail.conf for editing and make the following changes:
replace with
and:
on the
Restart fail2ban:
We make sure that fail2ban creates its own /var/log/fail2ban.log log, it will contain something like:
We are also convinced that fail2ban made the appropriate changes to iptables:
Now you can check how relevant and timely fail2ban restricts access:
Now DNS error messages will be minutes away from each other, not seconds.
Now about some file improvements.
Let's tell logcheck to look at a new location for error messages. Edit the /etc/logcheck/logcheck.logfiles file by adding the line at the end of the file:
We make sure that we now receive messages from fail2ban by e-mail.
It is a good idea to examine the options in the [DEFAULT] section of fail2ban in the /etc/fail2ban/jail.conf file. You might also want to enable control of services other than named. It may make sense to make changes to the rules for ignoring networks from RFC1918 (look towards the ignoreip option).
You might also consider changing bantime = 600 for a longer period.
You can try to write your own filters for fail2ban yourself if you have sufficient knowledge of the magic of regular expression compilation;)
In short, dare and explore :)
ps: Yes, still, this is just a free translation " Blocking a DNS DDOS using the fail2ban package"with some additions from practice;)
The events in question are as follows:
System events = - = - = - = - = - = - = Jan 21 06:02:13 www named [32410]: client 66.230.128.15 # 15333: query (cache) + '. / NS / IN' denied
However, it should be noted that in most cases, the source IP address can be falsified. Each node in the botnet can send one or more packets per second to the DNS server. The server, in turn, responds with an error message in the request to a falsified address, causing a denial of service at the source.
Tired of using your DNS server as a weapon in other people's DDoS attacks? Try installing the fail2ban package (Debian GNU / Linux). The original project website is www.fail2ban.org .
First install the fail2ban package. By default, only attacks on the ssh service will be monitored and blocked. This is a good idea. Other services can be controlled in the fail2ban package, moreover, you can write handlers and filters for it yourself, but a discussion of these issues is beyond the scope of this article.
aptitude install fail2ban
After the package is installed, check the contents of the /etc/fail2ban/jail.conf file.
At the end of the file we find the description that needs to be done in the named server settings so that fail2ban can normally handle events for the DNS service.
First, create a directory in which the DNS server log will be saved:
mkdir / var / log / named chown bind.bind / var / log / named chmod 750 / var / log / named
After that, edit /etc/bind/named.conf.local (you may have it in another place. The specified name is relevant for the bind9 package in Debian) adding the following lines:
logging {
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file
};
};We restart Bind:
/etc/init.d/bind9 restart
Make sure that the /var/log/named/security.log log is created and populated:
21-Jan-2010 07: 19: 54.835 client 66.230.160.1 # 28310: query (cache) './NS/IN' denied
Ok, now we’ll make changes to the fail2ban configuration. We open /etc/fail2ban/jail.conf for editing and make the following changes:
[named-refused-udp] enabled = false
replace with
[named-refused-udp] enabled = true
and:
[named-refused-tcp] enabled = false
on the
[named-refused-tcp] enabled = true
Restart fail2ban:
/etc/init.d/fail2ban restart
We make sure that fail2ban creates its own /var/log/fail2ban.log log, it will contain something like:
2010-01-21 07: 34: 32,800 fail2ban.actions: WARNING [named-refused-udp] Ban 76.9.16.171 2010-01-21 07: 34: 32,902 fail2ban.actions: WARNING [named-refused-tcp] Ban 76.9.16.171
We are also convinced that fail2ban made the appropriate changes to iptables:
$ sudo iptables-save | grep fail2ban
Now you can check how relevant and timely fail2ban restricts access:
tail -f /var/log/named/security.log
Now DNS error messages will be minutes away from each other, not seconds.
Now about some file improvements.
Let's tell logcheck to look at a new location for error messages. Edit the /etc/logcheck/logcheck.logfiles file by adding the line at the end of the file:
/var/log/named/security.log
We make sure that we now receive messages from fail2ban by e-mail.
It is a good idea to examine the options in the [DEFAULT] section of fail2ban in the /etc/fail2ban/jail.conf file. You might also want to enable control of services other than named. It may make sense to make changes to the rules for ignoring networks from RFC1918 (look towards the ignoreip option).
You might also consider changing bantime = 600 for a longer period.
You can try to write your own filters for fail2ban yourself if you have sufficient knowledge of the magic of regular expression compilation;)
In short, dare and explore :)
ps: Yes, still, this is just a free translation " Blocking a DNS DDOS using the fail2ban package"with some additions from practice;)