{"id":459,"date":"2009-01-21T12:18:20","date_gmt":"2009-01-21T15:18:20","guid":{"rendered":"https:\/\/www.talsoft-security.com\/site\/?p=459"},"modified":"2009-01-21T12:19:18","modified_gmt":"2009-01-21T15:19:18","slug":"ataque-de-denegacion-de-servicio-a-servidores-dns","status":"publish","type":"post","link":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/","title":{"rendered":"Ataque de Denegaci\u00c3\u00b3n de Servicio a servidores DNS"},"content":{"rendered":"

En el d\u00c3\u00ada de hoy he recibido varios ataques de DoS al DNS de mi trabajo, investigando un poco, encontr\u00c3\u00a9 un documento publicado que me fue de mucha utilidad:<\/p>\n

Desde el d\u00c3\u00ada de ayer mucha gente ha estado reportando extra\u00c3\u00b1as consultas en sus servidores DNS con un rate de 2 conexiones por segundo. Estas consultas preguntan al servidor por el dominio \u00e2\u20ac\u0153.\u00e2\u20ac\u009d. Las consultas para \u00e2\u20ac\u0153.\u00e2\u20ac\u009d son consultas a los servidores de nombres ra\u00c3\u00adz, estas son consultas muy peque\u00c3\u00b1as pero con respuestas bastante grandes. Este ataque utiliza la t\u00c3\u00a9cnica DNS snooping, donde se utilizan direcciones IP falsificadas para generar consultas a un servidor DNS, despues el servidor DNS (que funciona como un amplificador) devuelve las consultas a las direcciones falsificadas causando una cadena.<\/p>\n

En los logs de su sustema pueden ver logs parecidos a este:<\/p>\n

Jan 19 23:58:57 ns1 named[3593]: client 76.9.31.42#10070: query (cache) '.\/NS\/IN' denied\r\nJan 19 23:58:58 ns1 named[3593]: client 69.50.142.110#60820: query (cache) '.\/NS\/IN' denied<\/pre>\n
Por ejemplo\u00c2\u00a0 del d\u00c3\u00ada de ayer este es el n\u00c3\u00bamero de ataques en uno de mis  servidores:<\/p>\n
# zcat \/var\/log\/syslog.1.gz | grep \"Jan 19\" | grep -c \"'.\/NS\/IN' denied\"\r\n76058<\/pre>\n
Y en lo que va del d\u00c3\u00ada (20\/01\/2009 18:02):<\/p>\n
# grep \"Jan 20\" syslog | grep -c \"'.\/NS\/IN' denied\"\r\n42883<\/pre>\n
Hasta ahora la mayor\u00c3\u00ada de los ataques provienen de las direcciones IP:<\/p>\n
76.9.31.42
\n76.9.16.171
\n69.50.142.11
\n69.50.142.110
\n66.230.160.1
\n66.230.128.15<\/strong><\/p>\n
Por lo que ser\u00c3\u00ada conveniente bloquear dichas direcciones en el firewall o  router, as\u00c3\u00ad bloqueamos el trafico antes de que llegue a nuestros servidores, y  adem\u00c3\u00a1s no se llenan los logs.<\/p>\n
Se ha publicado una herramienta en l\u00c3\u00adnea para verificar si su servidor DNS es  objetivo para este tipo de ataques, la liga es: http:\/\/isc1.sans.org\/dnstest.html<\/a>.<\/p>\n
En mi caso me devolvio algo as\u00c3\u00ad:<\/p>\n
\"DNS<\/p>\n
Si te encuentras con que no te da resultado satisfactorio, probablemente tu  servidor DNS esta mal configurado.<\/p>\n
Aqu\u00c3\u00ad les dejo como deber\u00c3\u00ada de ir una configuraci\u00c3\u00b3n para bind9 que previene  este tipo de ataques:<\/p>\n
\/\/ Opciones globales\r\noptions {\r\n        directory \"\/var\/cache\/bind\";\r\n\r\n        allow-query {\r\n                127.0.0.1;\r\n        };\r\n\r\n};\r\n\r\n\/\/Definici\u00c3\u00b3n de zonas\r\nzone \"tuxjm.net\" {\r\n        type master;\r\n        file \"\/etc\/bind\/pri\/db.tuxjm.net.zone\";\r\n        allow-query { any; };\r\n\r\nFuente: tuxjm.net\r\n\r\n};<\/pre>\n
Practicamente lo que se hace se configurar en las opciones globales que solo  los hosts de confianza (solo localhost<\/strong>) puedan utilizar este  servidor como DNS cache, es decir, estamos bloqueando todas las consultas que no  sean originaldas localmente, y para no bloquear consultas a nuestros dominios  autoritativos o aquellos que sean de tipo master<\/strong>, agregaremos  la sentencia allow-query {any}<\/strong> dentro de la definici\u00c3\u00b3n de zona,  para permitir consultas de cualquier lado para este dominio.<\/p>\n
NOTA:<\/strong> Si este mismo servidor se utiliza como un dns cache  para una red local, entonces es conveniente agregar la subred local a  allow-query en la secci\u00c3\u00b3n global.<\/p>\n
Espero que este documento les sea de utilidad para verificar que su servidor  DNS este seguro.<\/p>\n
Fuente: tuxjm.net<\/p>\n","protected":false},"excerpt":{"rendered":"
En el d\u00c3\u00ada de hoy he recibido varios ataques de DoS al DNS de mi trabajo, investigando un poco, encontr\u00c3\u00a9 un documento publicado que me fue de mucha utilidad: Desde el d\u00c3\u00ada de ayer mucha gente ha estado reportando extra\u00c3\u00b1as consultas en sus servidores DNS con un rate de 2 conexiones por segundo. Estas consultas […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-459","post","type-post","status-publish","format-standard","hentry","category-profesional"],"yoast_head":"\nTalSoft - Seguridad Inform\u00e1tica Empresarial - Ataque de Denegaci\u00c3\u00b3n de Servicio a servidores DNS<\/title>\n<meta name=\"description\" content=\"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Leandro Ferrari\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/\"},\"author\":{\"name\":\"Leandro Ferrari\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8\"},\"headline\":\"Ataque de Denegaci\u00c3\u00b3n de Servicio a servidores DNS\",\"datePublished\":\"2009-01-21T15:18:20+00:00\",\"dateModified\":\"2009-01-21T15:19:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/\"},\"wordCount\":416,\"publisher\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/#primaryimage\"},\"thumbnailUrl\":\"http:\/\/tuxjm.net\/wp-content\/themes\/Ghacks2\/images\/dns-snooping-test.png\",\"articleSection\":[\"Profesional\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/\",\"name\":\"TalSoft - Seguridad Inform\u00e1tica Empresarial - Ataque de Denegaci\u00c3\u00b3n de Servicio a servidores DNS\",\"isPartOf\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/#primaryimage\"},\"thumbnailUrl\":\"http:\/\/tuxjm.net\/wp-content\/themes\/Ghacks2\/images\/dns-snooping-test.png\",\"datePublished\":\"2009-01-21T15:18:20+00:00\",\"dateModified\":\"2009-01-21T15:19:18+00:00\",\"description\":\"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.\",\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/#primaryimage\",\"url\":\"http:\/\/tuxjm.net\/wp-content\/themes\/Ghacks2\/images\/dns-snooping-test.png\",\"contentUrl\":\"http:\/\/tuxjm.net\/wp-content\/themes\/Ghacks2\/images\/dns-snooping-test.png\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#website\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/\",\"name\":\"TalSoft TS - Services IT Security\",\"description\":\"Talsoft is transforming awareness, control and decision-making power so that companies can protect their critical and confidential information from computer attacks.\",\"publisher\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.talsoft-security.com\/site\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#organization\",\"name\":\"Talsoft TS\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png\",\"contentUrl\":\"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png\",\"width\":270,\"height\":125,\"caption\":\"Talsoft TS\"},\"image\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"http:\/\/www.facebook.com\/talsoftsrl\",\"https:\/\/x.com\/talsoft\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8\",\"name\":\"Leandro Ferrari\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g\",\"caption\":\"Leandro Ferrari\"},\"sameAs\":[\"http:\/\/www.talsoft.com.ar\",\"https:\/\/www.facebook.com\/talsoftsrl\/\",\"https:\/\/x.com\/avatar_leandro\"],\"url\":\"https:\/\/www.talsoft-security.com\/site\/author\/leandro\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TalSoft - Seguridad Inform\u00e1tica Empresarial - Ataque de Denegaci\u00c3\u00b3n de Servicio a servidores DNS","description":"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/","twitter_misc":{"Written by":"Leandro Ferrari","Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/#article","isPartOf":{"@id":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/"},"author":{"name":"Leandro Ferrari","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8"},"headline":"Ataque de Denegaci\u00c3\u00b3n de Servicio a servidores DNS","datePublished":"2009-01-21T15:18:20+00:00","dateModified":"2009-01-21T15:19:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/"},"wordCount":416,"publisher":{"@id":"https:\/\/www.talsoft-security.com\/site\/#organization"},"image":{"@id":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/#primaryimage"},"thumbnailUrl":"http:\/\/tuxjm.net\/wp-content\/themes\/Ghacks2\/images\/dns-snooping-test.png","articleSection":["Profesional"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/","url":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/","name":"TalSoft - Seguridad Inform\u00e1tica Empresarial - Ataque de Denegaci\u00c3\u00b3n de Servicio a servidores DNS","isPartOf":{"@id":"https:\/\/www.talsoft-security.com\/site\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/#primaryimage"},"image":{"@id":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/#primaryimage"},"thumbnailUrl":"http:\/\/tuxjm.net\/wp-content\/themes\/Ghacks2\/images\/dns-snooping-test.png","datePublished":"2009-01-21T15:18:20+00:00","dateModified":"2009-01-21T15:19:18+00:00","description":"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.","inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.talsoft-security.com\/site\/ataque-de-denegacion-de-servicio-a-servidores-dns\/#primaryimage","url":"http:\/\/tuxjm.net\/wp-content\/themes\/Ghacks2\/images\/dns-snooping-test.png","contentUrl":"http:\/\/tuxjm.net\/wp-content\/themes\/Ghacks2\/images\/dns-snooping-test.png"},{"@type":"WebSite","@id":"https:\/\/www.talsoft-security.com\/site\/#website","url":"https:\/\/www.talsoft-security.com\/site\/","name":"TalSoft TS - Services IT Security","description":"Talsoft is transforming awareness, control and decision-making power so that companies can protect their critical and confidential information from computer attacks.","publisher":{"@id":"https:\/\/www.talsoft-security.com\/site\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.talsoft-security.com\/site\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/www.talsoft-security.com\/site\/#organization","name":"Talsoft TS","url":"https:\/\/www.talsoft-security.com\/site\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/","url":"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png","contentUrl":"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png","width":270,"height":125,"caption":"Talsoft TS"},"image":{"@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/"},"sameAs":["http:\/\/www.facebook.com\/talsoftsrl","https:\/\/x.com\/talsoft"]},{"@type":"Person","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8","name":"Leandro Ferrari","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g","caption":"Leandro Ferrari"},"sameAs":["http:\/\/www.talsoft.com.ar","https:\/\/www.facebook.com\/talsoftsrl\/","https:\/\/x.com\/avatar_leandro"],"url":"https:\/\/www.talsoft-security.com\/site\/author\/leandro\/"}]}},"_links":{"self":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts\/459","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/comments?post=459"}],"version-history":[{"count":3,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts\/459\/revisions"}],"predecessor-version":[{"id":462,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts\/459\/revisions\/462"}],"wp:attachment":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/media?parent=459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/categories?post=459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/tags?post=459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}