Block Low Port Traffic to Stop DNS Attacks

G5 Cyber Security

1 month ago

TL;DR

DNS amplification attacks use your server to flood targets with unwanted traffic. Blocking incoming connections on privileged ports (below 1024) significantly reduces your risk, as attackers often spoof source ports in this range. This guide shows you how to do it using common firewall tools.

Steps

Understand the Risk

DNS amplification attacks exploit open DNS resolvers. Attackers send small requests to these resolvers, spoofing the source IP address as the victim’s.
The resolver then sends large responses to the victim, overwhelming their network.
Attackers frequently use privileged ports (ports 1-1023) as source ports in their malicious requests. Blocking these reduces attack surface.

Check Your Current Firewall Rules

Before making changes, see what rules you already have. The commands vary depending on your firewall.

iptables (Linux):
```
sudo iptables -L INPUT
```
firewalld (Linux):
```
sudo firewall-cmd --list-all
```
ufw (Uncomplicated Firewall, Linux):
```
sudo ufw status verbose
```
Windows Defender Firewall with Advanced Security: Open ‘wf.msc’ and check inbound rules.

Block Incoming Traffic on Privileged Ports (iptables)

This example blocks all incoming TCP traffic on ports 1-1023.

sudo iptables -A INPUT -p tcp --sport 1:1023 -j DROP

To block UDP as well:

sudo iptables -A INPUT -p udp --sport 1:1023 -j DROP

Important: These rules are not persistent by default. Save them so they survive a reboot.

On Debian/Ubuntu:

sudo apt-get install iptables-persistent

sudo netfilter-persistent save

On CentOS/RHEL:

sudo yum install iptables-services

sudo service iptables save

Block Incoming Traffic on Privileged Ports (firewalld)

This example blocks all incoming traffic on ports 1-1023.

sudo firewall-cmd --permanent --add-port=1:1023/tcp

sudo firewall-cmd --permanent --add-port=1:1023/udp

sudo firewall-cmd --reload

Block Incoming Traffic on Privileged Ports (ufw)

This example blocks all incoming traffic on ports 1-1023.

sudo ufw deny from any to any port 1:1023 proto tcp

sudo ufw deny from any to any port 1:1023 proto udp

sudo ufw reload

Block Incoming Traffic on Privileged Ports (Windows Defender Firewall)

Open ‘Windows Defender Firewall with Advanced Security’.
Click ‘Inbound Rules’ then ‘New Rule…’.
Select ‘Port’ and click ‘Next’.
Select ‘TCP’ and enter ‘1-1023’ in the ‘Specific local ports:’ field. Click ‘Next’.
Repeat for UDP, entering ‘1-1023’.
Select ‘Block the connection’ and click ‘Next’.
Choose when to apply the rule (Domain, Private, Public) and give it a name.

Test Your Rules

Use an online port scanner (e.g., YouGetSignal) to verify that ports 1-1023 are closed on your server.

Monitor Your cyber security

Regularly review firewall logs for any unexpected activity and adjust rules as needed. Consider using intrusion detection systems (IDS) for more advanced monitoring.