Thursday, January 2, 2014

Open DNS Recursive Resolver Attack

Dear blog reader, few days back I have face a huge DNS Amplification/Reflection attack from Mikrotik (MT) router. The Attack has been organized from different source to different destination. 

This attack also has been seen in different vendor router like d-link di-1705b, Buffalo,AirLive, Cisco(Cisco Systems, Inc. Firmware: 4608)

The Attack is possible because of MT router apply following tcp and udp packet filter destination port 53.

 IP>firewall>filter rules
chain=input action=drop protocol=udp in-interface=ether1-WAN dst-port=53
chain=input action=drop protocol=tcp in-interface=ether1-WAN dst-port=53

Same rule can be maintain for other router to block and disable resolver.

Please Note: in-interface should be your WAN port.

How to check your IP is used as open resolver

Linux command

#dig -t A @

Note: Replace with your IP address

1 comment:

  1. Fixed for me.
    Added for pppoe connection and ether interface and ISP reports everything is OK now.
    Thank you very much!