NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Open recursive resolver
Hi.
I have a FVS336GV2 but I have received the following email from our ISP, what do you advise?
Hello,
You appear to be running an open recursive resolver at IP address 78.XXX.XXX.XXX that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.
Please consider reconfiguring your resolver in one or more of these ways:
- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)
- To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)
More information on this type of attack and what each party can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A
Example DNS responses from your resolver during this attack are given below.
Date/timestamps (far left) are UTC.
2015-05-25 00:24:40.339899 IP (tos 0x0, ttl 52, id 39055, offset 0, flags [+], proto UDP (17), length 1476) 78.XXX.XXX.XXX.53 > 104.153.109.x.15618: 8844| 25/0/0 psg.com. SSHFP[|domain]
0x0000: 4500 05c4 988f 2000 3411 2814 4e21 7c67 E.......4.(.N!|g
0x0010: 6899 6d64 0035 3d02 0f87 eca9 228c 8380 h.md.5=....."...
0x0020: 0001 0019 0000 0000 0370 7367 0363 6f6d .........psg.com
0x0030: 0000 ff00 01c0 0c00 2c00 0100 0000 7200 ........,.....r.
0x0040: 1601 0168 7f6e a423 3bbe 59ee 43f0 aa52 ...h.n.#;.Y.C..R
0x0050: 56bc V.
2015-05-25 00:24:40.346238 IP (tos 0x0, ttl 52, id 39056, offset 0, flags [+], proto UDP (17), length 1476) 78.XXX.XXX.XXX.53 > 104.153.109.x.15618: 8844| 23/0/0 psg.com. SSHFP[|domain]
0x0000: 4500 05c4 9890 2000 3411 2813 4e21 7c67 E.......4.(.N!|g
0x0010: 6899 6d64 0035 3d02 0f47 7d3d 228c 8380 h.md.5=..G}="...
0x0020: 0001 0017 0000 0000 0370 7367 0363 6f6d .........psg.com
0x0030: 0000 ff00 01c0 0c00 2c00 0100 0000 7200 ........,.....r.
0x0040: 2201 0292 e796 3b9d 1e4e b74c 3870 dbb7 ".....;..N.L8p..
0x0050: a0c9 ..
2015-05-25 00:24:40.352582 IP (tos 0x0, ttl 52, id 39057, offset 0, flags [+], proto UDP (17), length 1476) 78.XXX.XXX.XXX.53 > 104.153.109.x.15618: 8844| 21/0/0 psg.com. SSHFP[|domain]
0x0000: 4500 05c4 9891 2000 3411 2812 4e21 7c67 E.......4.(.N!|g
0x0010: 6899 6d64 0035 3d02 0f0b 7582 228c 8380 h.md.5=...u."...
0x0020: 0001 0015 0000 0000 0370 7367 0363 6f6d .........psg.com
0x0030: 0000 ff00 01c0 0c00 2c00 0100 0000 7200 ........,.....r.
0x0040: 1603 01f6 2cff 47d5 a922 2aaa b543 d838 ....,.G.."*..C.8
0x0050: d2b9 ..
(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "100".) Assuring you of our best attention at all times Entanet ADSL Administration Team Technical and Provision Contact Details
Can you advise what to change and where it needs changing?
Thanks.
I have a FVS336GV2 but I have received the following email from our ISP, what do you advise?
Hello,
You appear to be running an open recursive resolver at IP address 78.XXX.XXX.XXX that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.
Please consider reconfiguring your resolver in one or more of these ways:
- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)
- To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)
More information on this type of attack and what each party can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A
Example DNS responses from your resolver during this attack are given below.
Date/timestamps (far left) are UTC.
2015-05-25 00:24:40.339899 IP (tos 0x0, ttl 52, id 39055, offset 0, flags [+], proto UDP (17), length 1476) 78.XXX.XXX.XXX.53 > 104.153.109.x.15618: 8844| 25/0/0 psg.com. SSHFP[|domain]
0x0000: 4500 05c4 988f 2000 3411 2814 4e21 7c67 E.......4.(.N!|g
0x0010: 6899 6d64 0035 3d02 0f87 eca9 228c 8380 h.md.5=....."...
0x0020: 0001 0019 0000 0000 0370 7367 0363 6f6d .........psg.com
0x0030: 0000 ff00 01c0 0c00 2c00 0100 0000 7200 ........,.....r.
0x0040: 1601 0168 7f6e a423 3bbe 59ee 43f0 aa52 ...h.n.#;.Y.C..R
0x0050: 56bc V.
2015-05-25 00:24:40.346238 IP (tos 0x0, ttl 52, id 39056, offset 0, flags [+], proto UDP (17), length 1476) 78.XXX.XXX.XXX.53 > 104.153.109.x.15618: 8844| 23/0/0 psg.com. SSHFP[|domain]
0x0000: 4500 05c4 9890 2000 3411 2813 4e21 7c67 E.......4.(.N!|g
0x0010: 6899 6d64 0035 3d02 0f47 7d3d 228c 8380 h.md.5=..G}="...
0x0020: 0001 0017 0000 0000 0370 7367 0363 6f6d .........psg.com
0x0030: 0000 ff00 01c0 0c00 2c00 0100 0000 7200 ........,.....r.
0x0040: 2201 0292 e796 3b9d 1e4e b74c 3870 dbb7 ".....;..N.L8p..
0x0050: a0c9 ..
2015-05-25 00:24:40.352582 IP (tos 0x0, ttl 52, id 39057, offset 0, flags [+], proto UDP (17), length 1476) 78.XXX.XXX.XXX.53 > 104.153.109.x.15618: 8844| 21/0/0 psg.com. SSHFP[|domain]
0x0000: 4500 05c4 9891 2000 3411 2812 4e21 7c67 E.......4.(.N!|g
0x0010: 6899 6d64 0035 3d02 0f0b 7582 228c 8380 h.md.5=...u."...
0x0020: 0001 0015 0000 0000 0370 7367 0363 6f6d .........psg.com
0x0030: 0000 ff00 01c0 0c00 2c00 0100 0000 7200 ........,.....r.
0x0040: 1603 01f6 2cff 47d5 a922 2aaa b543 d838 ....,.G.."*..C.8
0x0050: d2b9 ..
(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "100".) Assuring you of our best attention at all times Entanet ADSL Administration Team Technical and Provision Contact Details
Can you advise what to change and where it needs changing?
Thanks.
8 Replies
- Are you hosting a DNS server on the LAN? If so, disable recursion on the DNS server.
- Thanks, this has been disabled and I will monitor what happens.
- OK. So I got the call to say that the site no longer has internet access which I knew was the change I made, this was confirmed when I un-did the change and everything started working.
So I made a change to the firewall, under inbound traffic I blocked DNS:UDP port 53. If my understanding is correct this should have the desired affect, does this sound and look right to you guys??
I am also curious about the other rules in there as it wasn't me that added them and they look very open to me, what are your thoughts? - First a question - you say the site lost internet access - is this from the site (outbound) or to the site (inbound)? Most of my client sites run their own DNS servers (usually Windows AD) and outbound internet access does not require any service rules (inbound or outbound) to be configured on the router/firewall - the NAT process handles everything transparently. It looks to me as if those services may have been configured by someone who perhaps was following instructions without knowing what they were about.
- Hi. Site outbound. I was able to access the local server remotely but was not resolving external URL's, didn't test internal names. The moment I undid my change it started working.
When I am on site next I will backup the settings and remove the rules, do you suggest removing all 5 rules? - The rules can be disabled/enabled individually, so disable them as step one, once you are certain they are not required, you can delete them. I would try it with all rules disabled, because, like I mentioned, I've never had to use any - your environment may not exactly parallel the ones I've done, so your mileage may vary.
- Will do, Thanks!
Ok, so a bit of a thread resurection but I have been notified that the problem still persists. I have deleted al the rules in the firewall listed above except the one below.
I have asked for as much detail as possible from our ISP so hopefully they can get something for me to work with.
Any more thoughts?
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
