Earlier today I received a ticket from Linode that my server is "acting as an unrestricted open resolver". Unfortunately I don't know what that means. Here is all the info I have from Linode
dportalatin
13 hours ago Hello,
We have received a report of malicious activity originating from your Linode. It appears that your Linode is being used to attack other servers with a DNS amplification attack. We ask that you investigate this matter as soon as possible to determine why this activity is originating from your Linode.
If you were not aware that activity of this nature was originating from your Linode, it is likely that your Linode has been compromised, and you'll want to take appropriate action.
We take the integrity of our network very seriously, and we appreciate your cooperation in investigating this activity. Please keep us updated via this ticket as you look into the issue.
As we cannot allow activity of this nature on our network, we ask that you update this ticket promptly or we may need to power down your Linode to prevent further malicious activity.
If you have any questions or concerns, please let us know!
Regards,
Dolores
dportalatin
13 hours ago Subject: UDP Flood Attack From 173.255.218.204
Our network has been repeatedly attacked from this above marked IP with
UDP attacks. Please take actions to secure this machine, and prevent it
from attacking us (or anyone else). Attached are some truncated logs from
when we were under an attack from this IP.
The IP that was targetted was 208.110.65.133
If it helps, this appears to have been a DNS amplification/reflection attack, where our IP was spoofed to cause your server to send us data we did not request. If possible, please verify that basic precautions have been taken to prevent this type of attack, such as disabling recursion, and rate-limiting. Failing that, you can directly block this one IP, as it will never directly request DNS from your server.
Here is an article that has more information:
http://technet.microsoft.com/en-us/secu ... 72393.aspx (more information can be found via google, etc)
If action is being taken to remedy this situation, no reply is necessary. This attack was part of a DDoS comprising over 50,000 other DNS servers being exploited against us in a similar fashion, and is not presently ongoing against our network. Unless it is patched, your DNS server will continue to be used in these attack vectors against other people.
Thanks for your attention and quick resolution of this matter.
Sincerely,
d2jsp.org Email Support
Hello,
The issue is related to you running a DNS server which is acting as an unrestricted open resolver:
$ dig @173.255.218.204 version.bind chaos txt +short
"9.3.6-P1-RedHat-9.3.6-16.P1.el5"
$ dig in a google.com @173.255.218.204 +short
173.194.69.102
173.194.69.113
173.194.69.138
173.194.69.139
173.194.69.100
173.194.69.101
As a result, your Linode is being used is participating in a distributed DNS amplification attack. You'll want to review your DNS server configuration to employ the necessary settings so it is not acting as an open resolver. If you require assistance with this task, we'd encourage you to reach out to our active user community. Many members of the Linode community are seasoned IT consultants and system administrators, and are usually more than happy to help out:
http://www.linode.com/community/Specifically, our IRC server has over 400 members of the Linode community in there now:
http://www.linode.com/irc/Please keep us updated on your progress. Thanks in advance!
Regards,
Danny
I have a linode with Kloxo running on it and I use Linode's DNS manager for my DNS stuff. I really have no idea where to start reading to approach fixing this issue. Any help would be greatly appreciated.
FAQ
Search
Members
Register
Login [ Anonymous ]
