Everything started with a few queries of isc.org thrugh open DNS servers located at our data center. Searching through the net we found that we are not the victims but a part of uncomprimised sources of a huge DDoS attack. A 60 byte query will turn into 50 times larger data directed to victims IP addresses. Even we were not the victims, the attacks became threading our connection if you think of hundreds of servers each of them pushing 10 Mbits to the Net. We needed a solution to stop those attacks.
Finally we have found a solution to stop DNS Amplification Attacks using pfsense with snort.
The below codes are extracted from raw IP data, as a sample, you may check what we had done for ripe.net query:
0x0000: 4500 0042 6142 4000 7911 e7c3 9a23 a00b E..BaB@.y....#.. 0x0010: 5e67 200f 0035 0035 002e 0000 03b8 0100 ^g...5.5........ 0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne 0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......)....... 0x0040: 0000 ..
Use the code below to stop DNS Amplification attacks, you can paste the code to snort interface Advanced configuration pass through section:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS ripe.net UDP"; content:"|01 04 72 69 70 65 03 6e 65 74 00|";classtype:attempted-dos;sid:4000003;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS isc.org UDP"; content:"|01 03 69 73 63 03 6f 72 67|";classtype:attempted-dos;sid:4000003;)
The code is tested to have minimal overhead.
Please post your comment if you need additional DNS Amplification Attack rules.