On Mon, 18 Mar 2013, Will Nordmeyer wrote: > Last night (actually over the past few days), my server has been > hammered with DNS requests
You may have been a unwitting part of this: http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho In Blue Quartz/Blue Onyx, under Network Service/DNS/Advanced, there's a checkbox labeled "Cache Record Lookups". This sounds like it might be a good thing, but what it's really doing is telling the DNS server to "Allow Recursion" if checked. Allowing recursion to *anyone* opens the server up to be a prime candidate for use in a DNS amplification DDoS attack, precisely what the article describes. To prevent this, be sure you list *ONLY* IPs/networks the server NEEDS to do recursive lookups for in the box: "Query Request Recursion Access by IP Address". To cloud the issue further, older versions of BIND may be fully open (much like being an open mail relay was once consided a Good Thing). In some versions, "localhost; localnets" are the default for which recursion is allowed. In others, the default means anyone. Check your BIND version and the actual recursion settings in /etc/named.conf. The iptables count-then-drop solutions mentioned by others here can help mitigate an attack on your server once one begins; but the inbound query traffic will still reach the server, even though no outbound response to it is generated. The problem with this approach is that a single or infrequent probe test DNS query by the attacker will get by the counter; and if recursion is allowed to external networks, your server would be seen and flagged as a good target. The solution also means that you'd be sending out a few 'attack' replies whenever the counter gets reset. But, if recursion is denied by proper BIND configuration, then probe tests will fail every time, and hopefully the attacker will leave you alone and go looking elsewhere for a vulnerable machine. =^_^= Tigerwolf _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
