Snort rules for isc.org and ripe.net DNS Amplification Attacks

Everything started with a few queries of isc.org thrugh open DNS servers located at our data center. Searching through the net we found that we are not the victims but a part of  uncomprimised sources of  a huge DDoS attack. A 60 byte query will turn into 50 times larger data directed to victims IP addresses. Even we were not the victims, the attacks became threading our connection if you think of hundreds of servers each of them pushing 10 Mbits to the Net. We needed a solution to stop those attacks.

Finally we have found a solution to stop DNS Amplification Attacks using pfsense with snort.

The below codes are extracted from raw IP data, as a sample, you may check what we had done for ripe.net query:

0x0000: 4500 0042 6142 4000 7911 e7c3 9a23 a00b E..BaB@.y....#..
0x0010: 5e67 200f 0035 0035 002e 0000 03b8 0100 ^g...5.5........
0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne
0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......).......
0x0040: 0000 ..
Use the code below to stop DNS Amplification attacks, you can paste the code to snort interface Advanced configuration pass through section:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS ripe.net UDP"; content:"|01 04 72 69 70 65 03 6e 65 74 00|";classtype:attempted-dos;sid:4000003;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS isc.org UDP"; content:"|01 03 69 73 63 03 6f 72 67|";classtype:attempted-dos;sid:4000003;)
The code is tested to have minimal overhead.

Please post your comment if you need additional DNS Amplification Attack rules.
  • 108 Bu dökümanı faydalı bulan kullanıcılar:
Bu cevap yeterince yardımcı oldu mu?

İlgili diğer dökümanlar

Password Generation in UNIX

Below I’ll describe a couple of nice methods to generate passwords using Python and Bash....

Routing, a Brief Introduction

Introduction Routing is the process of finding the route to a destination, and routing protocols...

Nmap : Scanning Methods

Earlier we’ve discussed target specificationin detail. But it is almost as import to choose...

Nmap : Target Specification in Detail

Every now and then, we need to scan ports as system administrators, even if the target machine is...

Web Hosting Security premier

IMPORTANT NOTE: Never assume the directory structures exist in your system as written in the...