Mac Server part of DNS Amplification Attack?

I host this website on my own Mac Mini, running Yosemite Server. Recently I’ve noticed an odd amount of network traffic, as can be seen in the pic below.

dnsAmpAttack 7day

I turned to the app called Private Eye which will let you see where the data is going. It’s not as fancy as Little Snitch, but I like simple, and, bless the developer’s heart, free. Here’s what it showed...

dnsAmpAttackPrivateEye

Oh oh. Anything .ru is probably not a good thing. 

Being “named” I know its the DNS server that’s responsible for all the traffic. I turn off the service which stops the problem. I use DNS so that clients on my network can find my web site and other pages I host on my server.

I did a little research on that particular web site and it appears my server may have been unwitting participant in what’s called a DNS Amplification attack. It’s a variation on a Denial-of-Service attack. Essentially, the attacker has discovered my DNS server is available and does recursive searches. The attacker spoofs the victim of the attack, sending requests to all of unsuspecting DNS servers it’s found, making it appear that the victim has made the requests. The DNS servers all send their replies to the victim, with data far in excess of what the attacker alone could offer, slowing and possibly bringing down the victim’s server. There’s a really nice, detailed write up of it at Cloud Flair.

Essentially, it’s my fault… I didn’t realize I’d left my server’s DNS was available to all comers, not just those on my private network. To fix the problem, just set the DNS to serve only private networks.

dnsAmpAttackFix

So far so good…

PS - Is it really my fault? Let’s go to the movie Full Metal Jacket for why I think so…  NSFW by the way. Enjoy!