Defend against UDP isc.org DNS query DDOS

Today i met a new challenge , to defend against the UDP isc.org DNS Query attack.

The attack looks like this:

20   0.090201   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org
46   0.167341   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org
67   0.240729   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org
82   0.283842   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org
122  0.413971   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org
126  0.421386   211.146.85.194	86.122.87.170    DNS   Standard query ANY isc.org

This is how you can protect yourself:

Linux:

# iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP

or

# iptables -A INPUT -p udp -m string --hex-string "|6973633f6f72673f|" --algo bm --to 65535 -j DROP

Snort rulles:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS isc.org DDoS"; content:"|03 69 73 63 03 6f 72 67 00|"; reference:linuxexpert.ro,369; classtype:attempted-dos; sid:4000002; rev:1; fwsam: src, 1 day;)

Also you must secure your nameservers:

Open /etc/named.conf

Look for line:

// query-source address * port 53;

below it , insert the following lines.

version “Bind”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

This will disable recursion for other ips than trusted.