Koozali.org: home of the SME Server

DNS - Open DNS DDOS Attack

tdekeizer

DNS - Open DNS DDOS Attack
« on: March 07, 2006, 01:43:26 AM »
We have a client who has a version 5.5 SME server installed in server only mode in their network.  It has operated faultlessly for 4 years.

They have just been informed that the server is particpating in DDoS attacks because the DNS server installed on it is "Open".  The exact text is :

"The IP addresses listed below have been reported as being open DNS servers and used in an ongoing DDoS attack via DNS amplification."

I was wondering if this issue is easily solved without resorting to a complete upgrade to a version 6 or 7 server.

Kind Regards
Tony De Keizer

Offline byte

  • *
  • 2,183
  • +2/-0
DNS - Open DNS DDOS Attack
« Reply #1 on: March 07, 2006, 09:37:56 PM »
You will get an answer like...

I would strongly advise you update as there may be security issue's with what ever version of DNS is on 5.5, that's why it's no longer supported because packages are fixed and updated..

Sorry cant help you anymore but your'll probably find that's what everyone will suggest
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline dsemuk

  • ****
  • 269
  • +0/-0
DNS - Open DNS DDOS Attack
« Reply #2 on: March 08, 2006, 12:51:46 AM »
Can I just add to what byte said....

You also need to get that server off the internet, you are doing your client no favours leaving it connected.

As byte said upgrade is your only route, SME5 has not been supported for a long time.

Dave
--
Esmith/Mitel/SME server  :-D...

tdekeizer

DDOs DNs Attack
« Reply #3 on: March 08, 2006, 01:08:25 AM »
Thanks Guys.

Thought this would be the response.  Unit is not directly attached to Internet but on large network that was recently audited for these vulnerabilities.   Will address asap.

Is it possible to do an inplace upgrade from 5.5 -> 6.5 or later versions.  The unit is a pretty basic install plus Hylafax and some standard contribs.

Offline byte

  • *
  • 2,183
  • +2/-0
DNS - Open DNS DDOS Attack
« Reply #4 on: March 08, 2006, 11:58:52 PM »
No-one I know of has tried a 5.5 > 7.0preX upgrade, although some have done a 5.6 > 7.0preX upgrade...

Not tried but what I would attempt is one of two way's...

Upgrade 5.5 > 6.0.1 > 7.0preX

or

Upgrade 5.5 > 5.6 > 7.0preX

I would personally go for the 5.5 > 5.6 only because I know of the difference's between 5.5 and 5.6...

You could attempt a 5.5 > 7.0preX and open any issue's on the Bug Tracker...(Not sure whether they will be able to help as you really are on a old release 2001 IIRC?)

HTH
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: DDOs DNs Attack
« Reply #5 on: March 09, 2006, 10:15:29 PM »
Quote from: "tdekeizer"
Unit is not directly attached to Internet but on large network that was recently audited for these vulnerabilities.


There's also the possibility that there has been a false diagnosis. Were you given details of what is supposedly happening?

kicker

it seems that this is because of recursive function
« Reply #6 on: March 20, 2006, 03:08:21 PM »
Hi, i'm new here!

I saw this on NANOG explaining the attack and what to do

http://www.isotf.org/news/DNS-Amplification-Attacks.pdf

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: DDOs DNs Attack
« Reply #7 on: March 20, 2006, 04:01:01 PM »
Quote

There's also the possibility that there has been a false diagnosis.


From reading the paper and looking at the bind (named) configuration in 5.5 it looks like the diagnosis is reasonable. The bind configuration in 5.5 does support promiscuous recursive lookups, which you have presumably exposed to the Internet by opening a UDP port 53 hole in your firewall (or worse still, you do not have a firewall). The quickest fix is to disable the named service, and add a custom template for /etc/resolv.conf to use another (properly secured) name server.

The best solution is to upgrade to a supported version.

5.5 has been unsupported and deprecated for a long time now. You have no excuses for still running it.