cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1934
Views
0
Helpful
7
Replies

DNS attack vectors.(asa log - Deny inbound UDP due to DNS response)

jmattbullen
Level 1
Level 1

One of the logs I see daily is something that looks like this. "Deny inbound UDP from 115.230.124.3/53 to 12.52.478.5/2713 due to DNS Response.  Googling that log tells you that it is an ASA prevention method that shuts down that flow as soon as one response comes in.  However, looking up the locations of some of the sources there was no way one my internal clients would be querying them for dns unless the were infected and were using these to do dns spoofs.  Doing some research I found that my clients are not sending out queries to these guys.  They are sending DNS responses without a query being made so I was thinking they were trying to guess the port and transaction ID to do a man-in-middle attack.  However, I've done a capture on one of the offenders and looking at the crafted packet in wireshark the response packet is to random queries that no one would be going to and also they don't include any "Answer RRs" so there is no IP that they are trying to redirect the dns to in the packet.  So I'm not really sure what they are trying to accomplish.  Anyone know?  I've attached a screenshot of one of the packets.

7 Replies 7

William Gill
Level 1
Level 1

We are receiving thousands of these same "Deny inbound UDP from x.x.x.x/53 to x.x.x.x/2713 due to DNS Response" per minute on our ASA 5510. This is overloading the ASA and preventing traffic getting thru to the Internet during these attacks. Any suggestions that we can do to mitigate this problem? All of the responses are destined to a signal one of our external IP's.

William, I never got confirmation from anyone on the forum but my research lead me to believe it is a DNS amplification attack.  Basically, someone crafts a dns request with your IP as the source and send it off to a bunch of open resolvers.  They all reply back to you and boom an instant dns based Dos attack.  I don't know that there is anything you can do about it in your realm of control being that it has already crossed the pipe when it enters your mgt domain.  My best estimate would be to work with your ISP and block any traffic with a source port of 53 unless it is from your trusted external DNS sources.  Others might have a more elegant solution.

I would strongly suggest putting a IPS device infront of your ASA.  This will allow for anomaly detection and will help in preventing what you are experiencing at the moment.  It is always a good idea to also work with your ISP with these types of cases, but remember that they can only help out after you are under attack...unless they sell a service that includes DDOS prevention..etc.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Thanks. This is why we are in the process of replacing our ASA's with a NGFW.

The Cisco TAC - Engineer we spoke to recommended we allow any any udp port 53 inbound to correct the problem. I don't see how allowing udp port 53 traffic into our network would solve the problem but it with stop the deny messages. Does this sound like a good idea?

Thanks for the reply. I figured it was some type of reflective DNS attack but I just wasn't sure if anything could be be done on the ASA to stop it. It appears like there isn't. I've contacted my isp but they don't seem to be in any hurry to call me back.

Since you say you are replacing your ASAs with a NGFW then I suppose the one you have installed is not an X series ASA...ie. ASA 5585-X.  If you have an X series ASA you could activate the IPS license on it and be good to go.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card