You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cloudstack.apache.org by Indra Pramana <in...@sg.or.id> on 2014/12/15 13:13:58 UTC

DNS amplification attack to CloudStack VR running dnsmasq

Dear all,

We are using CloudStack 4.2.0 with KVM hypervisors.

Is there a way to prevent our virtual routers (VRs) to be targeted by DNS
amplification attack? It seems that the DNS services on dnsmasq running on
the VRs are by default recursive, causing it to easily be targeted for DNS
amplification attack.

Any advice on how to overcome this?

Looking forward to your reply, thank you.

Cheers.

Re: DNS amplification attack to CloudStack VR running dnsmasq

Posted by Andrija Panic <an...@gmail.com>.

you got response with BUGs on jira and temp fix is there...
so, yes

On 15 December 2014 at 13:49, Indra Pramana <in...@sg.or.id> wrote:
>
> Hi Andrija,
>
> Yes, it's on a shared network with public IP in advanced zone. So far I
> don't see similar issues on my VPC's VRs, but it could be because the IP is
> not known, unlike the VR on a shared network which will automatically use
> the second IP on the subnet after the gateway (e.g. x.x.x.2).
>
> Is there a way to configure dnsmasq not to response to recursive queries?
>
> Thank you.
>
>
>
> On Mon, Dec 15, 2014 at 8:22 PM, Andrija Panic <an...@gmail.com>
> wrote:
> >
> > Indra, did you observe this on Shared Network - I had same issue with
> > Shared Network (public IPs) in Advanced Zone.
> >
> > I think VR for VPC is NOT a problem...
> >
> > On 15 December 2014 at 13:13, Indra Pramana <in...@sg.or.id> wrote:
> > >
> > > Dear all,
> > >
> > > We are using CloudStack 4.2.0 with KVM hypervisors.
> > >
> > > Is there a way to prevent our virtual routers (VRs) to be targeted by
> DNS
> > > amplification attack? It seems that the DNS services on dnsmasq running
> > on
> > > the VRs are by default recursive, causing it to easily be targeted for
> > DNS
> > > amplification attack.
> > >
> > > Any advice on how to overcome this?
> > >
> > > Looking forward to your reply, thank you.
> > >
> > > Cheers.
> > >
> >
> >
> > --
> >
> > Andrija Panić
> >
>


-- 

Andrija Panić

Re: DNS amplification attack to CloudStack VR running dnsmasq

Posted by Andrija Panic <an...@gmail.com>.

you got response with BUGs on jira and temp fix is there...
so, yes

On 15 December 2014 at 13:49, Indra Pramana <in...@sg.or.id> wrote:
>
> Hi Andrija,
>
> Yes, it's on a shared network with public IP in advanced zone. So far I
> don't see similar issues on my VPC's VRs, but it could be because the IP is
> not known, unlike the VR on a shared network which will automatically use
> the second IP on the subnet after the gateway (e.g. x.x.x.2).
>
> Is there a way to configure dnsmasq not to response to recursive queries?
>
> Thank you.
>
>
>
> On Mon, Dec 15, 2014 at 8:22 PM, Andrija Panic <an...@gmail.com>
> wrote:
> >
> > Indra, did you observe this on Shared Network - I had same issue with
> > Shared Network (public IPs) in Advanced Zone.
> >
> > I think VR for VPC is NOT a problem...
> >
> > On 15 December 2014 at 13:13, Indra Pramana <in...@sg.or.id> wrote:
> > >
> > > Dear all,
> > >
> > > We are using CloudStack 4.2.0 with KVM hypervisors.
> > >
> > > Is there a way to prevent our virtual routers (VRs) to be targeted by
> DNS
> > > amplification attack? It seems that the DNS services on dnsmasq running
> > on
> > > the VRs are by default recursive, causing it to easily be targeted for
> > DNS
> > > amplification attack.
> > >
> > > Any advice on how to overcome this?
> > >
> > > Looking forward to your reply, thank you.
> > >
> > > Cheers.
> > >
> >
> >
> > --
> >
> > Andrija Panić
> >
>


-- 

Andrija Panić

Re: DNS amplification attack to CloudStack VR running dnsmasq

Posted by Indra Pramana <in...@sg.or.id>.

Hi Andrija,

Yes, it's on a shared network with public IP in advanced zone. So far I
don't see similar issues on my VPC's VRs, but it could be because the IP is
not known, unlike the VR on a shared network which will automatically use
the second IP on the subnet after the gateway (e.g. x.x.x.2).

Is there a way to configure dnsmasq not to response to recursive queries?

Thank you.

On Mon, Dec 15, 2014 at 8:22 PM, Andrija Panic <an...@gmail.com>
wrote:
>
> Indra, did you observe this on Shared Network - I had same issue with
> Shared Network (public IPs) in Advanced Zone.
>
> I think VR for VPC is NOT a problem...
>
> On 15 December 2014 at 13:13, Indra Pramana <in...@sg.or.id> wrote:
> >
> > Dear all,
> >
> > We are using CloudStack 4.2.0 with KVM hypervisors.
> >
> > Is there a way to prevent our virtual routers (VRs) to be targeted by DNS
> > amplification attack? It seems that the DNS services on dnsmasq running
> on
> > the VRs are by default recursive, causing it to easily be targeted for
> DNS
> > amplification attack.
> >
> > Any advice on how to overcome this?
> >
> > Looking forward to your reply, thank you.
> >
> > Cheers.
> >
>
>
> --
>
> Andrija Panić
>

Re: DNS amplification attack to CloudStack VR running dnsmasq

Posted by Indra Pramana <in...@sg.or.id>.

Hi Andrija,

Yes, it's on a shared network with public IP in advanced zone. So far I
don't see similar issues on my VPC's VRs, but it could be because the IP is
not known, unlike the VR on a shared network which will automatically use
the second IP on the subnet after the gateway (e.g. x.x.x.2).

Is there a way to configure dnsmasq not to response to recursive queries?

Thank you.

On Mon, Dec 15, 2014 at 8:22 PM, Andrija Panic <an...@gmail.com>
wrote:
>
> Indra, did you observe this on Shared Network - I had same issue with
> Shared Network (public IPs) in Advanced Zone.
>
> I think VR for VPC is NOT a problem...
>
> On 15 December 2014 at 13:13, Indra Pramana <in...@sg.or.id> wrote:
> >
> > Dear all,
> >
> > We are using CloudStack 4.2.0 with KVM hypervisors.
> >
> > Is there a way to prevent our virtual routers (VRs) to be targeted by DNS
> > amplification attack? It seems that the DNS services on dnsmasq running
> on
> > the VRs are by default recursive, causing it to easily be targeted for
> DNS
> > amplification attack.
> >
> > Any advice on how to overcome this?
> >
> > Looking forward to your reply, thank you.
> >
> > Cheers.
> >
>
>
> --
>
> Andrija Panić
>

Re: DNS amplification attack to CloudStack VR running dnsmasq

Posted by Jayapal Reddy Uradi <ja...@citrix.com>.

Please refer the following ticket, It will help https://issues.apache.org/jira/browse/CLOUDSTACK-5494


Thanks,
jayapal
On 15-Dec-2014, at 5:52 PM, Andrija Panic <an...@gmail.com> wrote:

> Indra, did you observe this on Shared Network - I had same issue with
> Shared Network (public IPs) in Advanced Zone.
> 
> I think VR for VPC is NOT a problem...
> 
> On 15 December 2014 at 13:13, Indra Pramana <in...@sg.or.id> wrote:
>> 
>> Dear all,
>> 
>> We are using CloudStack 4.2.0 with KVM hypervisors.
>> 
>> Is there a way to prevent our virtual routers (VRs) to be targeted by DNS
>> amplification attack? It seems that the DNS services on dnsmasq running on
>> the VRs are by default recursive, causing it to easily be targeted for DNS
>> amplification attack.
>> 
>> Any advice on how to overcome this?
>> 
>> Looking forward to your reply, thank you.
>> 
>> Cheers.
>> 
> 
> 
> -- 
> 
> Andrija Panić

Re: DNS amplification attack to CloudStack VR running dnsmasq

Posted by Jayapal Reddy Uradi <ja...@citrix.com>.

Please refer the following ticket, It will help https://issues.apache.org/jira/browse/CLOUDSTACK-5494


Thanks,
jayapal
On 15-Dec-2014, at 5:52 PM, Andrija Panic <an...@gmail.com> wrote:

> Indra, did you observe this on Shared Network - I had same issue with
> Shared Network (public IPs) in Advanced Zone.
> 
> I think VR for VPC is NOT a problem...
> 
> On 15 December 2014 at 13:13, Indra Pramana <in...@sg.or.id> wrote:
>> 
>> Dear all,
>> 
>> We are using CloudStack 4.2.0 with KVM hypervisors.
>> 
>> Is there a way to prevent our virtual routers (VRs) to be targeted by DNS
>> amplification attack? It seems that the DNS services on dnsmasq running on
>> the VRs are by default recursive, causing it to easily be targeted for DNS
>> amplification attack.
>> 
>> Any advice on how to overcome this?
>> 
>> Looking forward to your reply, thank you.
>> 
>> Cheers.
>> 
> 
> 
> -- 
> 
> Andrija Panić

Re: DNS amplification attack to CloudStack VR running dnsmasq

Posted by Andrija Panic <an...@gmail.com>.

Indra, did you observe this on Shared Network - I had same issue with
Shared Network (public IPs) in Advanced Zone.

I think VR for VPC is NOT a problem...

On 15 December 2014 at 13:13, Indra Pramana <in...@sg.or.id> wrote:
>
> Dear all,
>
> We are using CloudStack 4.2.0 with KVM hypervisors.
>
> Is there a way to prevent our virtual routers (VRs) to be targeted by DNS
> amplification attack? It seems that the DNS services on dnsmasq running on
> the VRs are by default recursive, causing it to easily be targeted for DNS
> amplification attack.
>
> Any advice on how to overcome this?
>
> Looking forward to your reply, thank you.
>
> Cheers.
>


-- 

Andrija Panić

Re: DNS amplification attack to CloudStack VR running dnsmasq

Posted by Wei ZHOU <us...@gmail.com>.

Please look at the comments for CLOUDSTACK-5494 and CLOUDSTACK-6432 on JIRA.
Maybe it helps.

-Wei

2014-12-15 13:13 GMT+01:00 Indra Pramana <in...@sg.or.id>:

> Dear all,
>
> We are using CloudStack 4.2.0 with KVM hypervisors.
>
> Is there a way to prevent our virtual routers (VRs) to be targeted by DNS
> amplification attack? It seems that the DNS services on dnsmasq running on
> the VRs are by default recursive, causing it to easily be targeted for DNS
> amplification attack.
>
> Any advice on how to overcome this?
>
> Looking forward to your reply, thank you.
>
> Cheers.
>

Re: DNS amplification attack to CloudStack VR running dnsmasq

Posted by Andrija Panic <an...@gmail.com>.

Indra, did you observe this on Shared Network - I had same issue with
Shared Network (public IPs) in Advanced Zone.

I think VR for VPC is NOT a problem...

On 15 December 2014 at 13:13, Indra Pramana <in...@sg.or.id> wrote:
>
> Dear all,
>
> We are using CloudStack 4.2.0 with KVM hypervisors.
>
> Is there a way to prevent our virtual routers (VRs) to be targeted by DNS
> amplification attack? It seems that the DNS services on dnsmasq running on
> the VRs are by default recursive, causing it to easily be targeted for DNS
> amplification attack.
>
> Any advice on how to overcome this?
>
> Looking forward to your reply, thank you.
>
> Cheers.
>


-- 

Andrija Panić