For past week we have been the recipient of a continuous DNS amplification attack campaign. (No doubt so are others.) An attempt occurs every 1 minute.
02/06/2021-12:43:59.470926 [Drop] [**] [1:2016016:8] ET DOS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 200.13.14.92:15448 -> 192.168.69.246:53
This was, well, tolerated since suricata was blocking the attack.
Since yesterday another DNS amplification attack has been started, and it is NOT detected by suricata, and is much more active.
Any suggestions how to stop the attack?
Is there a rule I could modify to detect this?
Each instance consists of two queries:
{"timestamp":"2021-02-06T12:39:35.144850-0700","flow_id":875326959203794,"event_type":"dns","src_ip":"52.197.165.129","src_port":40342,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20226,"rrname":"ftx.com","rrtype":"A","tx_id":0}}
{"timestamp":"2021-02-06T12:39:35.145538-0700","flow_id":875326959203794,"event_type":"dns","src_ip":"52.197.165.129","src_port":40342,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","dns":{"version":2,"type":"answer","id":20226,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"ftx.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"ftx.com","rrtype":"A","ttl":191,"rdata":"104.18.27.153"},{"rrname":"ftx.com","rrtype":"A","ttl":191,"rdata":"104.18.26.153"}],"grouped":{"A":["104.18.27.153","104.18.26.153"]}}}
A tail of the EVE log (now 3GB) is here: