ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Pi-hole server involved in a 'DNS Amplification' DDOS Attack

    Scheduled Pinned Locked Moved IT Discussion
    pi-holepiholeddosdns amplification
    69 Posts 9 Posters 9.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DustinB3403D
      DustinB3403 @bnrstnr
      last edited by

      @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

      @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

      So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

      I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

      But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

      Can you setup ingress filtering for this?

      DashrenderD B 2 Replies Last reply Reply Quote 0
      • DashrenderD
        Dashrender @bnrstnr
        last edited by

        @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

        @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

        I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . .

        Somebody was working on this at one point. I can't remember who it was and I can't find it in the tags right now.

        presumably there is a firewall on the PiHole - you just only allow access from known networks - but that then gets back to my earlier post, managing changes to IPs - sure you could open the whole range for something near your friends current IPs, and I suppose that would be better than nothing.

        1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @DustinB3403
          last edited by Dashrender

          @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

          @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

          @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

          So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

          I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

          But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

          Can you setup ingress filtering for this?

          What? This is not how a reflection (DNS amplication) attack works.

          DustinB3403D 1 Reply Last reply Reply Quote 0
          • B
            bnrstnr @DustinB3403
            last edited by

            @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

            But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.
            Can you setup ingress filtering for this?

            Yeah, there is no trusted network though. Anybody that knows the IP address of the server can use it as DNS. If I understand correctly, the only thing spoofed is where the request is coming from.

            DustinB3403D 1 Reply Last reply Reply Quote 0
            • DustinB3403D
              DustinB3403 @bnrstnr
              last edited by

              @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

              @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

              But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.
              Can you setup ingress filtering for this?

              Yeah, there is no trusted network though. Anybody that knows the IP address of the server can use it as DNS. If I understand correctly, the only thing spoofed is where the request is coming from.

              That spoofed address is what you'd have to filter out.

              That or setup desingated networks that can use this DNS server. (Which is likely more complicated).

              1 Reply Last reply Reply Quote 0
              • DustinB3403D
                DustinB3403 @Dashrender
                last edited by

                @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

                I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

                But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

                Can you setup ingress filtering for this?

                What? This is not how a reflection (DNS amplication) attack works.

                Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • CloudKnightC
                  CloudKnight
                  last edited by

                  you could do firewall rate limiting, or like Dustin just said designated networks.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @DustinB3403
                    last edited by

                    @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                    @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                    @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                    @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                    @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                    So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

                    I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

                    But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

                    Can you setup ingress filtering for this?

                    What? This is not how a reflection (DNS amplication) attack works.

                    Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not.

                    That's true - but that's not really relevant. Sure - it would be nice to tell his friend - hey I see your machine sending spoof'ed messages.. but the reality it that his PiHole can't see that. oh yeah, because the packets are already spoofed.

                    DustinB3403D 1 Reply Last reply Reply Quote 0
                    • DustinB3403D
                      DustinB3403
                      last edited by

                      Speaking of PiHole I have to add a few whitelist to mine since my house mates can't use a few sites.

                      Great stupid spammy websites.

                      1 Reply Last reply Reply Quote 0
                      • DustinB3403D
                        DustinB3403 @Dashrender
                        last edited by

                        @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                        @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                        @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                        @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                        @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                        @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                        So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

                        I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

                        But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

                        Can you setup ingress filtering for this?

                        What? This is not how a reflection (DNS amplication) attack works.

                        Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not.

                        That's true - but that's not really relevant. Sure - it would be nice to tell his friend - hey I see your machine sending spoof'ed messages.. but the reality it that his PiHole can't see that. oh yeah, because the packets are already spoofed.

                        How do you think spoofed ip filters work?

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @DustinB3403
                          last edited by

                          @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                          @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                          @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                          @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                          @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                          @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                          @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                          So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

                          I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

                          But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

                          Can you setup ingress filtering for this?

                          What? This is not how a reflection (DNS amplication) attack works.

                          Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not.

                          That's true - but that's not really relevant. Sure - it would be nice to tell his friend - hey I see your machine sending spoof'ed messages.. but the reality it that his PiHole can't see that. oh yeah, because the packets are already spoofed.

                          How do you think spoofed ip filters work?

                          I don't even know what that is.

                          1 Reply Last reply Reply Quote 0
                          • CloudKnightC
                            CloudKnight
                            last edited by

                            Think the idea of hosting a public DNS is just asking for a headache
                            you could block all countries and just allow China and Russia. - (joking of course)

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @CloudKnight
                              last edited by

                              @StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                              Think the idea of hosting a public DNS is just asking for a headache
                              you could block all countries and just allow China and Russia. - (joking of course)

                              Yeah - GEO IP blocking would likely be your best starting bet. But as IPs continue to diversify, that will be less and less useful.

                              What we need to see happen is anti spoofing at the Internet Routers layer - they need to drop packets that aren't labeled as a return address for something that exists on the pipe the packet just came from.

                              Though - that said - I think some peer to peer tech uses spoofed packets to work, so assuming that's true, that stuff would be broken.

                              B 1 Reply Last reply Reply Quote 1
                              • B
                                bnrstnr @Dashrender
                                last edited by bnrstnr

                                @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                GEO IP blocking

                                This is what I was thinking. Maybe a decent starting point, but probably not super useful as they use the targets address as the source(if I understand correctly), so any attacks on a US target would be allowed. This attack just happened to be against a Russian VPN service, so it might have helped here.

                                1 Reply Last reply Reply Quote 1
                                • C
                                  Curtis @bnrstnr
                                  last edited by

                                  https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/

                                  DustinB3403D 1 Reply Last reply Reply Quote 0
                                  • DustinB3403D
                                    DustinB3403 @Curtis
                                    last edited by

                                    @Curtis said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                    https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/

                                    That filtering will only work for LAN only, at least as documented and would be troublesome to complete for this use case as @bnrstnr is hosting a public DNS for friends and family. All of whom likely are in different public networks.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @CloudKnight
                                      last edited by

                                      @StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                      Have you looked in /var/logs? might be worth looking to see how they have managed to get in. otherwise you could setup another PI-Hole and the same thing could happen. Did you use a secure passwords for SSH and the login page? no dictionary passwords?

                                      DNS Amplification does not require a breach, nor suggest one. It's just something that can happen to public DNS.

                                      1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @DustinB3403
                                        last edited by

                                        @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                        @Curtis said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                        https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/

                                        That filtering will only work for LAN only, at least as documented and would be troublesome to complete for this use case as @bnrstnr is hosting a public DNS for friends and family. All of whom likely are in different public networks.

                                        Yup, very little that can be done.

                                        1 Reply Last reply Reply Quote 0
                                        • DustinB3403D
                                          DustinB3403
                                          last edited by

                                          Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.

                                          Is there a reason to have this setup like this besides it being cool?

                                          scottalanmillerS B 2 Replies Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @DustinB3403
                                            last edited by

                                            @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                            Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.

                                            Is there a reason to have this setup like this besides it being cool?

                                            Uses a fraction of the resources, can work for people who are mobile, etc.

                                            DustinB3403D 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 2 / 4
                                            • First post
                                              Last post