Pi-hole server involved in a 'DNS Amplification' DDOS Attack
-
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Had the same thing happen to my Vultr Pi-Hole.. I deleted the server for the time being.. and may not rebuild.
I thought you had a WARNING that it COULD happen, not that it DID happen.
Correct.. the notice came in over the weekend.
Right, totally different. One is being told you have an open port, which is essentially guaranteed to happen as Vultr does that every few days. The other is very unlikely, an actual attack.
Everyone on Vultr gets the one. When we said that no one else has had this happen, you didn't have it happen either.
This is what I received:
Dear Customer, This abuse ticket requires your immediate attention. Please correct the matter and reply to this ticket with resolution within the next 48 hours to ensure uninterrupted service. Overwhelming evidence of violation/compromise may result in VPS suspension prior to the 48 hour deadline to protect system and additional customer resources. -- Complaint Response Team -- To update or check the progress of your ticket, please reply directly to this e-mail or visit:
-
@gjacobse Vultr is seeing the traffic spike on your instance, to levels way beyond what is normal and likely for a sustained amount of time.
Thus they are telling you to fix whatever is wrong or they are shutting you down.
-
I never got htis obsession with making public Pi-Hole systems.
No one is going to go to all the trouble to override their cellular settings to use the Pi-Hole when roaming.Just setup something at home and move on.
-
@JaredBusch that was kind of my point.
How much value is there in doing this, really?
-
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Had the same thing happen to my Vultr Pi-Hole.. I deleted the server for the time being.. and may not rebuild.
I thought you had a WARNING that it COULD happen, not that it DID happen.
Correct.. the notice came in over the weekend.
Right, totally different. One is being told you have an open port, which is essentially guaranteed to happen as Vultr does that every few days. The other is very unlikely, an actual attack.
Everyone on Vultr gets the one. When we said that no one else has had this happen, you didn't have it happen either.
This is what I received:
Dear Customer, This abuse ticket requires your immediate attention. Please correct the matter and reply to this ticket with resolution within the next 48 hours to ensure uninterrupted service. Overwhelming evidence of violation/compromise may result in VPS suspension prior to the 48 hour deadline to protect system and additional customer resources. -- Complaint Response Team -- To update or check the progress of your ticket, please reply directly to this e-mail or visit:
That's what everyone gets. That doesn't apply to this thread.
-
@JaredBusch said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
I never got htis obsession with making public Pi-Hole systems.
No one is going to go to all the trouble to override their cellular settings to use the Pi-Hole when roaming.Just setup something at home and move on.
I do
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@JaredBusch that was kind of my point.
How much value is there in doing this, really?
Why do it at all then? I mean sure, we are at home "most" of the time. But you still want it when not at home.
-
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@JaredBusch said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
I never got htis obsession with making public Pi-Hole systems.
No one is going to go to all the trouble to override their cellular settings to use the Pi-Hole when roaming.Just setup something at home and move on.
I do
You aren't the majority.
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@JaredBusch that was kind of my point.
How much value is there in doing this, really?
Why do it at all then? I mean sure, we are at home "most" of the time. But you still want it when not at home.
Because this would be comparable to doing it for a business. Run your house like you would run a business.
PiHole is designed with the intention of being used on a LAN. Not as a public DNS server. . .
-
Although I do wonder how Google manages. . . .
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Although I do wonder how Google manages. . . .
How does Cloudflare mitigate DNS amplification attacks?
With a properly configured firewall and sufficient network capacity (which isn't always easy to come by unless you are the size of Cloudflare), it's trivial to block reflection attacks such as DNS amplification attacks. Although the attack will target a single IP address, our Anycast network will scatter all attack traffic to the point where it is no longer disruptive. Cloudflare is able to use our advantage of scale to distribute the weight of the attack across many Data Centers, balancing the load so that service is never interrupted and the attack never overwhelms the targeted server’s infrastructure. During a recent six month window our DDoS mitigation system "Gatebot" detected 6,329 simple reflection attacks (that's one every 40 minutes), and the network successfully mitigated all of them. Learn more about Cloudflare's advanced DDoS Protection.
Source: https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
-
Source IP verification – stop spoofed packets leaving network
Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress filtering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks and help them realize their vulnerability.
-
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
But you still want it when not at home.
Not worth the effort.
-
@JaredBusch said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
But you still want it when not at home.
Not worth the effort.
I agree with this mostly because it will break and portal based open wifi someone tries to use.
But if a user is using their own cellphone/mifi, etc to get online while away from home - it could be worth it.
-
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Source IP verification – stop spoofed packets leaving network
Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress filtering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks and help them realize their vulnerability.
hmm... I think someone posted something like this higher in the thread.
-
@Dashrender yeah it was me who said it around post 20.
-
@DustinB3403 didn't you say the method above would only work for devices on the Pi-Hole's LAN?
-
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 didn't you say the method above would only work for devices on the Pi-Hole's LAN?
The method linked by someone else would, yes. As it's impractical to try to do said linked approach for the open internet.
Again, it's what you would do, but isn't practical because of your scale.
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.
Can you setup ingress filtering for this?
This is the approach proposed by Curtis.
@Curtis said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/