OVH Community, your new community space.

Anti-hack warning


macole111
03-06-2013, 10:02
On my ms dns server just ticking the disable recursion box wasn't enough. I could still request Google through my dns server and the OVH page was still red.

What I had to do was remove all forwarders and delete all the root hints from the server properties window. This would stop the server forwarding requests. I am not sure why we have to do all that but it fixes the issue on 2008 r2 and 2012.

To do some more detailed feedback I use http://www.kloth.net/services/dig.php with the server set to the op in question with trace set, if I try google.co.uk then if it shows a fill request I know it is still forwarding. It's a bit easier to understand than the French OVH thingy, why can't they translate it?

-macole111

Andy
03-06-2013, 10:01
All I did was disable recursion and it was just fine.

Trapper
03-06-2013, 09:28
OK, noticed some issues on Thursday last week with one of my servers.

As Andy said, settings (recursive lookups) have been corrected, but still the page:
https://www.ovh.com/cgi-bin/tools/dns_security.cgi
Lists the some of the servers as "Problème de sécurité".

Seems they are in "Protection" and "VAC" is enabled.

Did anyone make any other changes to a Microsoft DNS machine?

Is responding with Root Hints considered a failure? - If so how do I stop this?

Sorry OVH, I have enough trouble "wiv InGlish". Can we please have these pages in something other than French.

LT

Andy
24-05-2013, 00:27
I got a reply and apparently it was a mistake to notify me for the other IP. At least they were honest No harm done.

Andy
22-05-2013, 23:16
Yeah, apparently nslookup on windows achieves the same result if you add in the server to use. I'm just hoping it's a delayed reaction by the manager or OVH's techs putting it on a list.

Myatu
22-05-2013, 23:12
Ah yes, then it wouldn't be Not sure how to do it with Windows, but with *nix a quick check is to perform a 'dig' on the nameserver itself from an outside source, ie:

Code:
dig google.com @mynameserver
Obviously replacing 'mynameserver' with the actual value. It shouldn't give an answer.

Coincidentally, I tried your ones (iisunderground and betaarchive), and they just return a 'Nope. Go and try the rootservers instead' answer, so I assume that'd suffice.

Andy
22-05-2013, 23:03
I run my own nameservers so that's not an option.

Myatu
22-05-2013, 23:02
Depending on how your servers are setup, you could close TCP and UDP ports 53 to external sources (only allow 127.0.0.1 to access it). That's one of the first things I generally do with new servers...

Andy
22-05-2013, 22:49
I just got another hack notice for my other IP, yet it's disabled server wide. I hope it's just a delayed response by the system...

Myatu
22-05-2013, 20:47
5 Mbps doesn't get noticed, whereas 1 Gbps does. Do that x1000 drones, and that's enough to knock out a small server or company network.

Kacotet
22-05-2013, 14:35
There is no reason for anyone to be running an open DNS resolver that could be be abused by the bad guys. http://dns.measurement-factory.com/s...resolvers.html

This is the first time you've been notified by OVH. The relay could have been abused many times and gone undetected.

A couple? More like hundreds to thousands if they do not take action. 24 hours is more than enough time for any responsible individual to get an issue like this fixed. These servers are unmanaged, they shouldn't have to hold the customers hand.

I agree with you on this point. OVH should be proactive.

Andy
22-05-2013, 12:33
Yes, but it's better than the 1Gbps they could have had otherwise. Big difference isn't it?

It's not about being an experienced sysadmin, which I don't claim to be. I know more than enough to get me by. The fact is it's never been a problem before. 5 years I have operated a DNS with open relay capabilities and this is the first time I've had a problem. Also remember that it's sometimes necessary to operate a server in this way, depending on your configuration of other software.

OVH will probably get thousands of Spamhaus entries per day, a couple more isn't going to hurt. However you're missing the point that OVH need to help their customers more rather than just issuing a "fix this in 24 hours or we cut you off" message.

OVH knew open relays were an issue for many weeks. Why didn't they scan their network for open relays and contact customers individually BEFORE it became an issue?

Again, everyone always missing the point that it's not just customers fault but OVH's as well for not being vigilant enough. Unmanaged or not, it's still partly their responsibility as a network provider.

Kacotet
22-05-2013, 12:25
5Mb/s is still a significant amount of traffic. An attacker with lots of 5Mb/s capable servers has a lot of power in his hands.

If business is mission critical, employ an experienced sysadmin.

You should think about the damage it'll do to OVH's reputation (Spamhaus listings, etc) rather than how it affects the individual who failed to harden his server. This situation could have been avoided.

Andy
22-05-2013, 11:00
I agree, but 24 hours is a pretty short amount of time. They could just block your DNS port rather than taking the server offline, or limit the throughput of DNS to say 5Mbps. I doubt many people need more than 5Mbps of continuous DNS data per server unless that's all it was designed to do.

OVH just don't seem to understand that people have dedicated servers that are mission critical. Sure people say don't use OVH for mission critical, but they are great when they work. Their downfall is their petty nature when it comes to "hack" issues like this where all they think about is the network and not the customer.

The server should NEVER EVER be taken offline unless it is causing an extremely serious problem, or is breaking the law. DNS amplification is a serious issue but OVH have the ability to reduce its effect with rate limiting etc. 24 hours is a very short amount of time and not everyone may be able to respond in that time. E.G. I might have been on holiday without Internet access for a few days.

Kacotet
22-05-2013, 10:55
It's nice to see OVH being proactive. DNS amplification attacks are a HUGE issue.

http://blog.cloudflare.com/the-ddos-...offline-and-ho

Andy
21-05-2013, 21:48
Its a good thing. There are too many open DNS servers out there, so if I can prevent it even a little I will.

macole111
21-05-2013, 21:46
I got EXACTLY the same message yesterday at around 10pm, it was for a 2008 R2 web server that shouldn't even have a DNS server. I disable the recursion as you have and then removed the DNS server.

I sent a quick message back to OVH asking them to confirm that the problem is resolved.

They are obviously trying to stop a repeat of the spamhaus attack.

-macole111

Andy
21-05-2013, 20:59
Thanks. I actually took the time to read their hack warning after angry shouting at OVH being ridiculous and it contains a link to http://www.us-cert.gov/ncas/alerts/TA13-088A which tells you how to do it. Doh!

K.Kode
21-05-2013, 20:55
Yes
http://technet.microsoft.com/en-us/l.../cc771738.aspx

Andy
21-05-2013, 19:07
Hi all,

Apparently my server has been used as a DNS amplification source because relaying was enabled. I didn't know this was set by default so my question is, is this all I have to do to disable relay?



OVH said that the server will be suspended if it's not resolved within 24 hours.

Cheers.