Thank you ... Colin
> You may have been a unwitting part of this: > > http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho > > In Blue Quartz/Blue Onyx, under Network Service/DNS/Advanced, there's > a checkbox labeled "Cache Record Lookups". This sounds like it might be a > good thing, but what it's really doing is telling the DNS server to "Allow > Recursion" if checked. > > Allowing recursion to *anyone* opens the server up to be a prime candidate > for use in a DNS amplification DDoS attack, precisely what the article > describes. > > To prevent this, be sure you list *ONLY* IPs/networks the server NEEDS to > do recursive lookups for in the box: "Query Request Recursion Access by IP > Address". > > To cloud the issue further, older versions of BIND may be fully open (much > like being an open mail relay was once consided a Good Thing). In some > versions, "localhost; localnets" are the default for which recursion is > allowed. In others, the default means anyone. > > Check your BIND version and the actual recursion settings in > /etc/named.conf. > > The iptables count-then-drop solutions mentioned by others here can help > mitigate an attack on your server once one begins; but the inbound query > traffic will still reach the server, even though no outbound response to > it is generated. > > The problem with this approach is that a single or infrequent probe test > DNS query by the attacker will get by the counter; and if recursion is > allowed to external networks, your server would be seen and flagged as a > good target. The solution also means that you'd be sending out a few > 'attack' replies whenever the counter gets reset. But, if recursion is > denied by proper BIND configuration, then probe tests will fail every > time, and hopefully the attacker will leave you alone and go looking > elsewhere for a vulnerable machine. > > =^_^= Tigerwolf > _______________________________________________ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx