Amplified DNS common Attack

Amplified DNS Attack, general information, and fixes.

How I got my hands into this.

Well, the step by step on how I met this new challenge. You may find the general info here ( is external)), don’t get me wrong, the solution is not that big deal, yet can get a bit tricky if you have a complicated network with our limitations.

You may find our network diagram on the site.

Well everything started while I was working, I noticed on one of the networks was having a constant 120 KByte/s, so I head up to the server and started trying to filter its source from the logs, thankfully as I began to using Munin, we were logging the queries on the Bind Server, after “tail -f /var/log/bind” I noticed a lot of questions for, strangely asking for all the records on that domain.

So to that moment, I thought, Research TIME!.

Well yeah, so the attack is old as time itself, but well, I did not know as it never happened to us, so we never cared to follow this kind of threat.

Well going over this we found:?

1234.089099 -> my_ip_address DNS Standard query ANY isc.org4.090428 -> my_ip_address DNS Standard query ANY isc.org4.098280 -> my_ip_address DNS Standard query ANY

After this happened, we started noticing this has been going for a while, as you can see at the blog post, so here’s the fix!.

Depending on your scenario here are some options:

1.On windows (Turn off recursive queries).

On Linux (two ways).


As some may know, iptables are extensive, and a robust way to protect a standard server without external help, so adding these two lines to your INPUT chains should get it fixed right away.

iptables -A INPUT -p udp -m string –hex-string “|03697363036f726700|” –algo bm –to 65535 -j DROP

That should match ( another way is:

iptables -A INPUT -p udp -m string –string “isc?org?” –algo bm –to 65535 -j DROP

Remember, if another attack appears, check the packets with Wireshark or similar.


Turn off recursive queries for networks outside your own with ACL’s.


On Bind 9


acl vpn_nets {;;
acl external_nets {
acl local_nets {;;

Add this at the beginning of the configuration file.

This should not happen anymore, and you should be outside the red zone.

You may also like

Leave a Reply

Recent Comments