Pi-hole server involved in a 'DNS Amplification' DDOS Attack
- 
 @StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: They are coming from DNS Port 53 in that screenshot, where is this machine running from, home server? a Vultr VPS 
- 
 @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . . I was hosting a public dns server with this instance. I just setup PiHole on it and a few friends and family were using it. So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit. I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . . 
- 
 @StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: They are coming from DNS Port 53 in that screenshot, where is this machine running from, home server? Does it matter? it's on the public internet - @bnrstnr just said that. 
- 
 @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit. I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI. 
- 
 @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . . I was hosting a public dns server with this instance. I just setup PiHole on it and a few friends and family were using it. So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit. I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . . WHAT? sure, perhaps his friends were compromised - but unless @bnrstnr is limiting who can use his PiHole, then ANYONE can send faked DNS queries to it. I'm a sure @bnrstnr's server shows up in Shodan by now, so any hacker can find and use it. 
- 
 If it's a public DNS, someone else is more then likely using it... 
- 
 @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . . Somebody was working on this at one point. I can't remember who it was and I can't find it in the tags right now. 
- 
 @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit. I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI. But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network. Can you setup ingress filtering for this? 
- 
 @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . . Somebody was working on this at one point. I can't remember who it was and I can't find it in the tags right now. presumably there is a firewall on the PiHole - you just only allow access from known networks - but that then gets back to my earlier post, managing changes to IPs - sure you could open the whole range for something near your friends current IPs, and I suppose that would be better than nothing. 
- 
 @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit. I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI. But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network. Can you setup ingress filtering for this? What? This is not how a reflection (DNS amplication) attack works. 
- 
 @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network. 
 Can you setup ingress filtering for this?Yeah, there is no trusted network though. Anybody that knows the IP address of the server can use it as DNS. If I understand correctly, the only thing spoofed is where the request is coming from. 
- 
 @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network. 
 Can you setup ingress filtering for this?Yeah, there is no trusted network though. Anybody that knows the IP address of the server can use it as DNS. If I understand correctly, the only thing spoofed is where the request is coming from. That spoofed address is what you'd have to filter out. That or setup desingated networks that can use this DNS server. (Which is likely more complicated). 
- 
 @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit. I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI. But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network. Can you setup ingress filtering for this? What? This is not how a reflection (DNS amplication) attack works. Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not. 
- 
 you could do firewall rate limiting, or like Dustin just said designated networks. 
- 
 @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit. I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI. But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network. Can you setup ingress filtering for this? What? This is not how a reflection (DNS amplication) attack works. Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not. That's true - but that's not really relevant. Sure - it would be nice to tell his friend - hey I see your machine sending spoof'ed messages.. but the reality it that his PiHole can't see that. oh yeah, because the packets are already spoofed. 
- 
 Speaking of PiHole I have to add a few whitelist to mine since my house mates can't use a few sites. Great stupid spammy websites. 
- 
 @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit. I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI. But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network. Can you setup ingress filtering for this? What? This is not how a reflection (DNS amplication) attack works. Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not. That's true - but that's not really relevant. Sure - it would be nice to tell his friend - hey I see your machine sending spoof'ed messages.. but the reality it that his PiHole can't see that. oh yeah, because the packets are already spoofed. How do you think spoofed ip filters work? 
- 
 @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit. I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI. But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network. Can you setup ingress filtering for this? What? This is not how a reflection (DNS amplication) attack works. Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not. That's true - but that's not really relevant. Sure - it would be nice to tell his friend - hey I see your machine sending spoof'ed messages.. but the reality it that his PiHole can't see that. oh yeah, because the packets are already spoofed. How do you think spoofed ip filters work? I don't even know what that is. 
- 
 Think the idea of hosting a public DNS is just asking for a headache 
 you could block all countries and just allow China and Russia. - (joking of course)
- 
 @StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack: Think the idea of hosting a public DNS is just asking for a headache 
 you could block all countries and just allow China and Russia. - (joking of course)Yeah - GEO IP blocking would likely be your best starting bet. But as IPs continue to diversify, that will be less and less useful. What we need to see happen is anti spoofing at the Internet Routers layer - they need to drop packets that aren't labeled as a return address for something that exists on the pipe the packet just came from. Though - that said - I think some peer to peer tech uses spoofed packets to work, so assuming that's true, that stuff would be broken. 


