Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: p-jones on May 14, 2015, 10:55:35 AM
-
Hi
I have an V8.1 Server - Gateway that has been running on ADSL for a while now with out issue. The ADSL Router had a DMZ pointing to the WAN NIC on the Server.
This ADSL has just been upgrded to Fibre. The dudes who did the fibre will not set a DMZ as they are telling me "We set a DMZ, however the server was hit with a DNS Amplification attack almost instantly"
At this point I dont have access to any logs, (its a good few hours drive to get on to the site) but this doesnt quite sound right ??
If I go onto the sight, where should I start looking and for what ?
Please ask for any info I may not have mentioned and I will try and answer.
Thanks in advance
Peter
PS the machine was fully updated immeadiately prior to the fibre conversion.
-
The dudes who did the fibre will not set a DMZ as they are telling me "We set a DMZ, however the server was hit with a DNS Amplification attack almost instantly"
Interesting that they have concluded a 'DNS Amplification attack' 'instantly'. Funny if you get a new Public IP from that same provider...
-
This ADSL has just been upgrded to Fibre. The dudes who did the fibre will not set a DMZ as they are telling me "We set a DMZ, however the server was hit with a DNS Amplification attack almost instantly"
Did you ask them what they saw that caused them to say that?
-
Did you ask them what they saw that caused them to say that?
I asked why they thought that but didnt get a reply. I know this is not overly helpful. I am dealing with a 'middle-man' and there are some politics that I do no want to get involved with.
What I did find was that their idea of a DMZ was to forward all ports, TCP only, to the server. (No UDP on 53) and I am wondering if this may have some bearing.
I had initially envisaged going directly from the ONT to NIC and reconfiguring for PPoE however I was advised this could not happen as fibre delivery requires VLAN tagging, unsupported by SME, and they used a Microtik router at the front door.
Fibre at this level is new in NZ and I have very limited experience with it. When I was in corporate it was delivered quite differently.
-
I asked why they thought that but didnt get a reply. I know this is not overly helpful.
Indeed it's not. Anyone connected to the Internet can be hit by a DNS amplification attack. It's not very likely to have actually happened though.
What I did find was that their idea of a DMZ was to forward all ports, TCP only, to the server. (No UDP on 53) and I am wondering if this may have some bearing.
Sounds like you are dealing with someone with only half a clue. If UDP doesn't reach your server, then DNS isn't going to work. However, it doesn't need to be port forwarded to your server if the router does NAT properly.
I had initially envisaged going directly from the ONT to NIC and reconfiguring for PPoE however I was advised this could not happen as fibre delivery requires VLAN tagging, unsupported by SME, and they used a Microtik router at the front door.
If you need to use a vlan interface for your WAN that could be done, but would need some modifications.
If I go onto the sight, where should I start looking and for what ?
Well, for a start, knowing what works and what doesn't would be a good starting point. At the moment you either don't know or haven't told us.
Treat the mention of 'DNS amplification attacks' as uninformed waffling, and start from first principles.
-
Well, for a start, knowing what works and what doesn't would be a good starting point
At this time I believe everything is working as it should except remote access. They can surf, they can email without issue.
I would expect a DNS amplification attack to be temoprary. I SUSPECT this may have come from an initial mis-config. Possibly some sort of recursion fom an incorrect ip address maybe. I feel that I need to treat it seriously until I can prove otherwise.
I am guessing that if / when I can get remote access into the server, examining what has been happening via the tinydns log would be a place to start. Maybe iptraf looking at the wan side nic, then "feeling my way" through depending on what I find ?? Would that be a reasonable approach ? Iptraf may be useless if the attack has ceased.
-
... examining what has been happening via the tinydns log would be a place to start
Very unlikely to be of interest. tinydns is only available from internal addresses, and only serves names for the local domains.
A DNS amplification attack is something that you are passively subjected to. It doesn't indicate a vulnerability of the server. The only logs it will generate will be iptables logs, because of unexpected inbound traffic.
-
At this time I believe everything is working as it should except remote access
OK, in that case the only thing you should investigate is why remote access is not working as it should.
-
On the Australian NBN system what ever is plugged into the UNI port gets the external address. We have the servers done this way and they are all working fine.
If a DNS Amplification attack was likely then we should have been slammed. Fail2ban is not showing any more activity on the NBN connections in comparison to ADSL ones.