Pi-hole server involved in a 'DNS Amplification' DDOS Attack

Dashrender

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

Can you setup ingress filtering for this?

What? This is not how a reflection (DNS amplication) attack works.

Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not.

That's true - but that's not really relevant. Sure - it would be nice to tell his friend - hey I see your machine sending spoof'ed messages.. but the reality it that his PiHole can't see that. oh yeah, because the packets are already spoofed.

DustinB3403

Speaking of PiHole I have to add a few whitelist to mine since my house mates can't use a few sites.

Great stupid spammy websites.

DustinB3403

@Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

Can you setup ingress filtering for this?

What? This is not how a reflection (DNS amplication) attack works.

Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not.

That's true - but that's not really relevant. Sure - it would be nice to tell his friend - hey I see your machine sending spoof'ed messages.. but the reality it that his PiHole can't see that. oh yeah, because the packets are already spoofed.

How do you think spoofed ip filters work?

Dashrender

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

Can you setup ingress filtering for this?

What? This is not how a reflection (DNS amplication) attack works.

Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not.

That's true - but that's not really relevant. Sure - it would be nice to tell his friend - hey I see your machine sending spoof'ed messages.. but the reality it that his PiHole can't see that. oh yeah, because the packets are already spoofed.

How do you think spoofed ip filters work?

I don't even know what that is.

CloudKnight

Think the idea of hosting a public DNS is just asking for a headache
you could block all countries and just allow China and Russia. - (joking of course)

Dashrender

@StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

Think the idea of hosting a public DNS is just asking for a headache
you could block all countries and just allow China and Russia. - (joking of course)

Yeah - GEO IP blocking would likely be your best starting bet. But as IPs continue to diversify, that will be less and less useful.

What we need to see happen is anti spoofing at the Internet Routers layer - they need to drop packets that aren't labeled as a return address for something that exists on the pipe the packet just came from.

Though - that said - I think some peer to peer tech uses spoofed packets to work, so assuming that's true, that stuff would be broken.

bnrstnr

@Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

GEO IP blocking

This is what I was thinking. Maybe a decent starting point, but probably not super useful as they use the targets address as the source(if I understand correctly), so any attacks on a US target would be allowed. This attack just happened to be against a Russian VPN service, so it might have helped here.

Curtis

https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/

DustinB3403

@Curtis said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/

That filtering will only work for LAN only, at least as documented and would be troublesome to complete for this use case as @bnrstnr is hosting a public DNS for friends and family. All of whom likely are in different public networks.

scottalanmiller

@StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

Have you looked in /var/logs? might be worth looking to see how they have managed to get in. otherwise you could setup another PI-Hole and the same thing could happen. Did you use a secure passwords for SSH and the login page? no dictionary passwords?

DNS Amplification does not require a breach, nor suggest one. It's just something that can happen to public DNS.

scottalanmiller

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@Curtis said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/

That filtering will only work for LAN only, at least as documented and would be troublesome to complete for this use case as @bnrstnr is hosting a public DNS for friends and family. All of whom likely are in different public networks.

Yup, very little that can be done.

DustinB3403

Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.

Is there a reason to have this setup like this besides it being cool?

scottalanmiller

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.

Is there a reason to have this setup like this besides it being cool?

Uses a fraction of the resources, can work for people who are mobile, etc.

DustinB3403

@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.

Is there a reason to have this setup like this besides it being cool?

Uses a fraction of the resources, can work for people who are mobile, etc.

That's true but he wouldn't need to deal with issues like the one he's currently dealing with.

Edit this also assumes that at least on their mobile computers (laptops) that the DNS is statically configured.

Seems like a bad approach.

scottalanmiller

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.

Is there a reason to have this setup like this besides it being cool?

Uses a fraction of the resources, can work for people who are mobile, etc.

That's true but he wouldn't need to deal with issues like the one he's currently dealing with.

Edit this also assumes that at least on their mobile computers (laptops) that the DNS is statically configured.

Seems like a bad approach.

It's how Cisco and others handle it.

This issue doesn't come up often. Never seen it previously.

bnrstnr

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.

How would I set it up individually for everybody? None of my friends or family has a raspberry pi, server, or anything that could run it. I use a $2.50 instance on vultr.

Dashrender

@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.

How would I set it up individually for everybody? None of my friends or family has a raspberry pi, server, or anything that could run it. I use a $2.50 instance on vultr.

They'd need one of those thing each for themselves to run it individually.

Scott's post points out why that's likely a less than desirable solution.

DustinB3403

@bnrstnr Dash beat me to the answer.

But yeah, you'd setup a Pi in each person's network and then configure their local DNS to use the PiHole.

Dashrender

The occasional complaint is nothing something I would worry about - especially when you're doing nothing wrong - I wouldn't change anything from what you have today. it's way to flexible and low cost to worry about changing.,

bnrstnr

@Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

The occasional complaint is nothing something I would worry about - especially when you're doing nothing wrong - I wouldn't change anything from what you have today. it's way to flexible and low cost to worry about changing.,

That's the way I'm leaning, too. I might try to do some geo-blocking, but I doubt I'll ever get to it. Especially since nobody here has seen this before on their piholes.