Server flooded by DNS attack on port 53
I have been getting flood of traffic on port 53 all day on udp port 53
Sample Output of tcpdump using "tcpdump -n -i eth0 udp port 53"
14:29:48.734275 IP 212.174.17.28.53 > 23.92.19.211.443: 1 ServFail 0/0/0 (26)
14:29:48.734411 IP 181.205.60.90.53 > 23.92.19.211.443: 1 ServFail 0/0/0 (26)
14:29:48.736001 IP 91.227.157.215.53 > 23.92.19.211.443: 1 ServFail 0/0/0 (26)
14:29:48.747291 IP 81.166.123.10.53 > 23.92.19.211.443: 1 ServFail 0/0/0 (26)
14:29:48.747717 IP 5.21.69.18.53 > 23.92.19.211.443: 1 ServFail 0/0/0 (26)
14:29:48.748619 IP 181.129.19.2.53 > 23.92.19.211.443: 1 ServFail 0/0/0 (26)
14:29:48.754033 IP 190.217.63.35.53 > 23.92.19.211.443: 1 34/4/0 RRSIG, Type51, Type51, Type51, RRSIG, RRSIG, DNSKEY, MX ferc-gov.mail.protection.outlook.com. 0, RRSIG[|domain]
14:29:48.757301 IP 102.36.152.84.53 > 23.92.19.211.443: 1| 17/0/0 RRSIG, RRSIG, RRSIG, Type51, A 52.247.175.68, RRSIG, RRSIG[|domain]
14:29:48.758980 IP 185.5.181.37.53 > 23.92.19.211.443: 1 7/4/8 NS ns2.glb.ferc.gov., DS, NS ns1.glb.ferc.gov., DS, NS ns3.glb.ferc.gov., RRSIG, NS ns4.glb.ferc.gov. (565)
14:29:48.765462 IP 46.0.203.44.53 > 23.92.19.211.443: 1 4/4/0 NS ns4.glb.ferc.gov., NS ns1.glb.ferc.gov., NS ns2.glb.ferc.gov., NS ns3.glb.ferc.gov. (158)
14:29:48.778194 IP 89.169.30.191.53 > 23.92.19.211.443: 1 ServFail 0/0/0 (26)And this continues, there are over 20K IP's that have been attacking my server.
I am unable to stop this attack. I have blocked udp port 53 using iptables with
iptables -A INPUT -p udp --dport 53 -j DROPBut this isn't working. This attack is draining my bandwidth and I don't know what to do. Any help appreciated! Thanks!
02 Answers
Upon further inspection it looks like there actually flood 443 not 53. The 53 is the source port which is meaning less. However, I have modified my suggestions to screen source ports.
This will ONLY block the traffic from entering you system. You will have to have your ISP mitigate the actual attack.
iptables -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -m udp -p udp --sport 53 -j DROP
iptables -I INPUT 3 -m tcp -p tcp --sport 53 -j DROPAre both likely necessary.
You need to allow valid traffic first, also iptables has a sequential order of operations.
INPUT -AAppends the rule at the bottom of the list, and therefore your rules is most likely being superseded by another rule.
Addedum:
iptables -I INPUT 4 -m tcp -p tcp --dport 443 -j DROP.
I forgot the -m tcp and -m udp so I revised this posting.
3There's nothing you can do on your server to prevent unwanted packets from being received. Your server doesn't "pull" the packets in, they arrive unasked. You can only make the server ignore them (like you did with iptables), but you cannot stop them from arriving at the server's network port in the first place.
Ask your ISP or hosting company for help – they can apply filtering within their network before the packets reach your system (larger ones even have dedicated infrastructure just for handling packet floods), and/or they also can move your server to a different IP address that isn't receiving these packets.
More in general
"Zoraya ter Beek, age 29, just died by assisted suicide in the Netherlands. She was physically healthy, but psychologically depressed. It's an abomination that an entire society would actively facilitate, even encourage, someone ending their own life because they had no hope. Th…"
