ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Pi-hole server involved in a 'DNS Amplification' DDOS Attack

    Scheduled Pinned Locked Moved IT Discussion
    pi-holepiholeddosdns amplification
    69 Posts 9 Posters 9.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @DustinB3403
      last edited by

      @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

      Just secure the PiHole host. Assuming Ubuntu

      Should get you going.

      What makes you think the host is insecure? or been breached?

      DNS reflection attacks - assuming you're hosting a public DNS service, not sure you can do anything about it.

      1 Reply Last reply Reply Quote 2
      • B
        bnrstnr @DustinB3403
        last edited by

        @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

        Just secure the PiHole host. Assuming Ubuntu

        Should get you going.

        I don't think any of this would prevent a DNS Amplification attack.

        https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/

        1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @bnrstnr
          last edited by

          @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

          uh oh :face_screaming_in_fear: I guess I'll just tear down the instance and make a new one.

          For future reference is there any decent way to protect against this happening in the future?

          The only thing I can think you can do is limit who is allowed to use your PiHole. Though assuming you're using typical consumer ISPs, you might not have static IPs to lock to, instead forcing you to setup DDNS services for anyone trying to use your PiHole - what a PITA.

          1 Reply Last reply Reply Quote 1
          • DustinB3403D
            DustinB3403
            last edited by

            Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . .

            It is just as likely a client on his network is compromised and was spamming his PiHole server and sending those requests out.

            DashrenderD B 2 Replies Last reply Reply Quote 0
            • DashrenderD
              Dashrender @DustinB3403
              last edited by

              @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

              Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . .

              It is just as likely a client on his network is compromised and was spamming his PiHole server and sending those requests out.

              @bnrstnr are you using a publicly hosted PiHole?

              1 Reply Last reply Reply Quote 0
              • B
                bnrstnr @DustinB3403
                last edited by

                @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . .

                I was hosting a public dns server with this instance. I just setup PiHole on it and a few friends and family were using it.

                DustinB3403D 1 Reply Last reply Reply Quote 0
                • CloudKnightC
                  CloudKnight
                  last edited by

                  They are coming from DNS Port 53 in that screenshot, where is this machine running from, home server?

                  B DashrenderD 2 Replies Last reply Reply Quote 0
                  • B
                    bnrstnr @CloudKnight
                    last edited by

                    @StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                    They are coming from DNS Port 53 in that screenshot, where is this machine running from, home server?

                    a Vultr VPS

                    1 Reply Last reply Reply Quote 0
                    • DustinB3403D
                      DustinB3403 @bnrstnr
                      last edited by

                      @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                      @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                      Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . .

                      I was hosting a public dns server with this instance. I just setup PiHole on it and a few friends and family were using it.

                      So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

                      I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . .

                      B DashrenderD 3 Replies Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @CloudKnight
                        last edited by

                        @StuartJordan said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                        They are coming from DNS Port 53 in that screenshot, where is this machine running from, home server?

                        Does it matter? it's on the public internet - @bnrstnr just said that.

                        1 Reply Last reply Reply Quote 0
                        • B
                          bnrstnr @DustinB3403
                          last edited by

                          @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                          So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

                          I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

                          DustinB3403D 1 Reply Last reply Reply Quote 1
                          • DashrenderD
                            Dashrender @DustinB3403
                            last edited by

                            @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                            @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                            @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                            Well I suppose it's possible that @bnrstnr is hosting a public DNS service with this PiHole but I find that doubtful. . .

                            I was hosting a public dns server with this instance. I just setup PiHole on it and a few friends and family were using it.

                            So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

                            I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . .

                            WHAT? sure, perhaps his friends were compromised - but unless @bnrstnr is limiting who can use his PiHole, then ANYONE can send faked DNS queries to it. I'm a sure @bnrstnr's server shows up in Shodan by now, so any hacker can find and use it.

                            1 Reply Last reply Reply Quote 0
                            • CloudKnightC
                              CloudKnight
                              last edited by

                              If it's a public DNS, someone else is more then likely using it...

                              1 Reply Last reply Reply Quote 0
                              • B
                                bnrstnr @DustinB3403
                                last edited by

                                @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . .

                                Somebody was working on this at one point. I can't remember who it was and I can't find it in the tags right now.

                                DashrenderD 1 Reply Last reply Reply Quote 0
                                • DustinB3403D
                                  DustinB3403 @bnrstnr
                                  last edited by

                                  @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                  @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                  So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

                                  I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

                                  But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

                                  Can you setup ingress filtering for this?

                                  DashrenderD B 2 Replies Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @bnrstnr
                                    last edited by

                                    @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                    @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                    I'm curious to know if there would be a way to deny requests from networks that are unknown with PiHole. . .

                                    Somebody was working on this at one point. I can't remember who it was and I can't find it in the tags right now.

                                    presumably there is a firewall on the PiHole - you just only allow access from known networks - but that then gets back to my earlier post, managing changes to IPs - sure you could open the whole range for something near your friends current IPs, and I suppose that would be better than nothing.

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @DustinB3403
                                      last edited by Dashrender

                                      @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                      @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                      @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                      So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

                                      I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

                                      But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

                                      Can you setup ingress filtering for this?

                                      What? This is not how a reflection (DNS amplication) attack works.

                                      DustinB3403D 1 Reply Last reply Reply Quote 0
                                      • B
                                        bnrstnr @DustinB3403
                                        last edited by

                                        @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                        But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.
                                        Can you setup ingress filtering for this?

                                        Yeah, there is no trusted network though. Anybody that knows the IP address of the server can use it as DNS. If I understand correctly, the only thing spoofed is where the request is coming from.

                                        DustinB3403D 1 Reply Last reply Reply Quote 0
                                        • DustinB3403D
                                          DustinB3403 @bnrstnr
                                          last edited by

                                          @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                          @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                          But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.
                                          Can you setup ingress filtering for this?

                                          Yeah, there is no trusted network though. Anybody that knows the IP address of the server can use it as DNS. If I understand correctly, the only thing spoofed is where the request is coming from.

                                          That spoofed address is what you'd have to filter out.

                                          That or setup desingated networks that can use this DNS server. (Which is likely more complicated).

                                          1 Reply Last reply Reply Quote 0
                                          • DustinB3403D
                                            DustinB3403 @Dashrender
                                            last edited by

                                            @Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                            @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                            @bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                            @DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:

                                            So you won't be able to fix this issue without confirming that your friends and family systems aren't compromised. Not that a public DNS can't be used like this but it's much more likely to be within your environment to find the culprit.

                                            I highly doubt this is the case. All somebody needs to do is discover that there is a public DNS server. I would get random hits and scans all the time that show up in the PiHole GUI.

                                            But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.

                                            Can you setup ingress filtering for this?

                                            What? This is not how a reflection (DNS amplication) attack works.

                                            Yes and no. We know PiHole is being used. We don't know if it's from a device that @bnrstnr knows about or not.

                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 4 / 4
                                            • First post
                                              Last post