Pi-hole server involved in a 'DNS Amplification' DDOS Attack
-
uh oh :face_screaming_in_fear: I guess I'll just tear down the instance and make a new one.
For future reference is there any decent way to protect against this happening in the future?
vpnmonster.ru 2019-01-04 22:46:08 Hello Abuse-Team, Your Server/Customer with the IP: <PiHoleIP> has attacked one of our servers <VictimIP> The attackers used the method/service: *DNS Amplification* Please check the machine behind the IP <PiHoleIP> and fix the problem. What happened? - We received a large DDoS attack and your IP <PiHoleIP> was one of the addresses the attack was coming from - You will find a log at the end of this message Why this email was sent to me? - Your network has an open DNS resolver <PiHoleIP> being used in a botnet for a DDoS attack - The WHOIS of the IP <PiHoleIP> contained your email - If you are not a person responsible for this machine, please forward the message to the network owner or the corresponding machine owner Please consider the complaint as soon as possible and fix the problem. Log: Date 04.01.2019. Time zone UTC ###################################### 21:35:12.334449 IP <PiHoleIP>.53 > <VictimIP>.80: 8333 NotImp 0/0/1 (36) 21:35:13.450924 IP <PiHoleIP>.53 > <VictimIP>.80: 51429 NotImp 0/0/1 (36) 21:35:14.325458 IP <PiHoleIP>.53 > <VictimIP>.80: 53947 NotImp 0/0/1 (36) 21:35:15.124668 IP <PiHoleIP>.53 > <VictimIP>.80: 13030 NotImp 0/0/1 (36) 21:35:17.429052 IP <PiHoleIP>.53 > <VictimIP>.80: 59040 NotImp 0/0/1 (36) ###################################### -
Just secure the PiHole host. Assuming Ubuntu
Should get you going.
-
Have you looked in /var/logs? might be worth looking to see how they have managed to get in. otherwise you could setup another PI-Hole and the same thing could happen. Did you use a secure passwords for SSH and the login page? no dictionary passwords?
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Just secure the PiHole host. Assuming Ubuntu
Should get you going.
What makes you think the host is insecure? or been breached?
DNS reflection attacks - assuming you're hosting a public DNS service, not sure you can do anything about it.
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Just secure the PiHole host. Assuming Ubuntu
Should get you going.
I don't think any of this would prevent a DNS Amplification attack.
https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
-
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
uh oh :face_screaming_in_fear: I guess I'll just tear down the instance and make a new one.
For future reference is there any decent way to protect against this happening in the future?
The only thing I can think you can do is limit who is allowed to use your PiHole. Though assuming you're using typical consumer ISPs, you might not have static IPs to lock to, instead forcing you to setup DDNS services for anyone trying to use your PiHole - what a PITA.
-
Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . .
It is just as likely a client on his network is compromised and was spamming his PiHole server and sending those requests out.
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . .
It is just as likely a client on his network is compromised and was spamming his PiHole server and sending those requests out.
@bnrstnr are you using a publicly hosted PiHole?
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . .
I was hosting a public dns server with this instance. I just setup PiHole on it and a few friends and family were using it.
-
They are coming from DNS Port 53 in that screenshot, where is this machine running from, home server?
-
@StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
They are coming from DNS Port 53 in that screenshot, where is this machine running from, home server?
a Vultr VPS
-
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . .
I was hosting a public dns server with this instance. I just setup PiHole on it and a few friends and family were using it.
So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.
I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . .
-
@StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
They are coming from DNS Port 53 in that screenshot, where is this machine running from, home server?
Does it matter? it's on the public internet - @bnrstnr just said that.
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.
I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . .
I was hosting a public dns server with this instance. I just setup PiHole on it and a few friends and family were using it.
So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.
I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . .
WHAT? sure, perhaps his friends were compromised - but unless @bnrstnr is limiting who can use his PiHole, then ANYONE can send faked DNS queries to it. I'm a sure @bnrstnr's server shows up in Shodan by now, so any hacker can find and use it.
-
If it's a public DNS, someone else is more then likely using it...
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . .
Somebody was working on this at one point. I can't remember who it was and I can't find it in the tags right now.
-
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.
I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.
But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.
Can you setup ingress filtering for this?
-
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . .
Somebody was working on this at one point. I can't remember who it was and I can't find it in the tags right now.
presumably there is a firewall on the PiHole - you just only allow access from known networks - but that then gets back to my earlier post, managing changes to IPs - sure you could open the whole range for something near your friends current IPs, and I suppose that would be better than nothing.
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.
I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.
But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.
Can you setup ingress filtering for this?
What? This is not how a reflection (DNS amplication) attack works.
