DDoS attack on home network

[bds1904]

So someone found a bit of an exploit in my home network today, I was getting some erogenous UDP DNS requests that was maxing out the upstream of one of my internet connections. I was receiving about 300pps and the responses were huge, maxing out my upstream.

Turns out that my RouterOS router was answering DNS requests from external IP's. I find it odd that that was even allowed by default. Easily fixed and all, but correct me if I am wrong, responding to external IP's is normally disabled by default on just about all routers right?

Other thing, what the heck would someone target a home network with a DDoS attack that has no external services running?

 

[/usr/home]

RouterOS is not your regular consumer router. A Cisco or Juniper would by default reply unless you setup firewall/access lists. This is normal.

 

[JBark]

They were probably using you for a DNS Amplifcation Attack:
http://www.watchguard.com/infocenter/editorial/41649.asp

Basically, the attacker was sending a tiny packet to your open DNS server, and your server was replying back to the spoofed/target IP with much larger packet. Get a large list of open DNS servers to do this all at once, and you can greatly increase the amount of data you're hitting your target with. Like the article says, 70:1 increase in data with the properly malformed DNS request.

 

[99vw]

Open resolvers have been a concern for awhile now. It's just that now we're getting to a point were they are starting to be used in more and more attacks. Luckily you were able to catch yours pretty soon by the sounds of it.

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack

 

[bds1904]

Well that explains a lot

Funny thing is that it was only on my AT&T connection (i have a comcast connection also).

My AT&T connection uses a Motorola NVG589 and I have the ip-passthru enabled so my router gets a public IP address. I'm wondering if the source of the attack is targeting AT&T subnets as they would be an easy target considering ALL of the uverse subscribers have only a short list of RG's.

Time to start looking into if a uverse router answers DNS requests to a public IP.

 

[mwarps]

... erogenous UDP DNS ...

That's a pretty standard DNS amplification/reflection attack.

 

[bds1904]

Lol, the attack did arouse my suspension, but not quite that far. Haha.