DNS Denial of Service on Windows Server 2008 R2 with recursion disabled.
One of our public facing nameservers has been experiencing flood attacks, typically requesting the zone "isc.org" or "directedat.asia". The flood will usually cause bandwidth problems for other devices on the network, including my workstation. Running a persistent ping to a public address from my workstation, latency will jump from a nominal 20ms to over 600ms, with about a 20% (or more) packet loss (request timed out).
I have been using RRAS and WireShark to (lamely) block the attacking IP's, which resolves the problem. Obviously, this requires babysitting. It seems the worst attackers have been mitigated.
Is there any configuration in Microsoft DNS that will allow for automatic throttling or blocking of requesting IP's for which the DNS server is not authoritive?
Considering all the threads out there, I know we are not the only ones experiencing this problem, this *seems* like it would be a no-brainer setting (our email server has this built-in and configurable for bogus SMTP and POP3 traffic).
A related question:
To troubleshoot the attack, I have been using Resource Monitor, Network tab, then filter for Image dns.exe to quickly verify the server is being attacked. During an attack the "Send (B/sec)" column will usually jump up to over 200,000 (as
much as 600,000) whereas legitimate lookups will usually be around 100. The problem is that the "Address" column performs a RevDNS lookup and displays the FQDN. It is a real PITA to determine what address is under that
FQDN (imagine typing: "nslookup cpc5-stok17-2-0-cust372.1-4.cable.virginmedia.com"). I have been forced to use WireShark to tell me the attacking IP (so that I can add it to the drop list in RRAS).
Is there any way to disable RevDNS lookup for the Address column in Resource Monitor?
Being able to disable name lookup is quite handy, I use it all the time in programs such as SysInternal's TCPView. But TCPView does not seem to show the UDP traffic only TCP traffic (hence the program name?!).
Thanks in advance!!