DNS amplification attack

Using OpenDNS has revealed some unusual activity on my network.
dnsattack2
A lot of DNS requests for some dodgy looking domains.
dnsattack
Looks like a DNS amplification attack, read up on it here.
http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack

Turns out the DNS resolver is open to the Internet. Fix this in the dnsmasq config by setting it to listen on the LAN interface only.

root@voyage:/etc/network/if-up.d# remountrw
root@voyage:/etc/network/if-up.d# vi /etc/dnsmasq.conf

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.

interface=br0

Restart dnsmasq

root@voyage:/etc/network/if-up.d# /etc/init.d/dnsmasq restart

Check it using this site:

http://www.thinkbroadband.com/tools/dnscheck.html

dnsattack3

Advertisements