Investigating a DNS DDoS Attack

Update: AT&T sent me a new modem which gave me a new IP address. All is fine now :)


Last night I began noticing extreme slowness in traffic bound to Google Play Store. Strangely enough, all other network traffic was fine. Upon further investigation, I realized that my Sophos Home UTM was dropping hundreds of DNS queries on external (public) interface. Well, 32,968 DNS queries per hour or 549 queries per second. I only allow port 53 to internal clients and two static OpenDNS IP addresses. Intrusion prevention system is also doing its job and blocked malformed DNS packets. The UTM's CPU never spiked above 2% and RAM stayed in 10% - 20% range. So I knew I was in good shape. However, I had to investigate. This was my chance !!!

For cool factor, here's map generated using Splunk, showing where I received the queries from:

So, I SSH into my UTM and fired up TCPDUMP utility. TCPDUMP is like a command-line version of Wireshark. It can sniff packets, process them, and store them in your desired format. Since all packets I was interested in were DNS packets, here is the command I ran to capture all DNS traffic on my external (ETH01) interface:

tcpdump -i eth0 port 53

And result?

22:14:35.440155 IP > sophosutm.domain: 9075+ [1au] ANY? (44)
22:14:35.440360 IP > sophosutm.domain: 9075+ [1au] ANY? (44)
22:14:35.440554 IP > sophosutm.domain: 9075+ [1au] ANY? (44)
22:14:35.440731 IP > sophosutm.domain: 9075+ [1au] ANY? (44)
22:14:35.440910 IP > sophosutm.domain: 9075+ [1au] ANY? (44)
22:14:35.441091 IP > sophosutm.domain: 9075+ [1au] ANY? (44)
22:14:35.441292 IP > sophosutm.domain: 9075+ [1au] ANY? (44)
22:14:35.441486 IP > sophosutm.domain: 9075+ [1au] ANY? (44)

As you can see, I'm am receiving queries from requesting name resolution for shows is one of China Telecom IP addresses. In regards to our queried domain name, here is what has to say:

 Latest URLs hosted in this domain detected by at least one URL scanner or malicious URL dataset. 

For sure, isn't the only IP address sending these queries. A quick search in Splunk

action="drop" dstport=53 |stats count by srcip

Results are astounding. Within last 24 hours, I received DNS queries from 163 different IP addresses. Top ten are as follows: -- 23218 queries -- 22192 queries -- 20825 queries -- 13506 queries -- 11641 queries -- 11463 queries -- 9031 queries -- 8696 queries -- 6227 queries -- 5815 queries

As much as I would like to investigate further, it's way too many IP addresses, most of which are from shared hosting providers. The IP addresses may have been spoofed to add more complexity to the matter. If Root Server Operations team couldn't go further than this step, I think I will stop here too. The DDoS attack is still continuing and AT&T hasn't given me a new IP address even after tens of modem reboots and phone calls. Alright, back to work !!!