On Fri, 29 Mar 2013, Colin Jack wrote: > Can I tighten it up? We have 50+ DNS connections from the same IP at the > same time. I would like to limit this to say 2 ;0)
Last year, a newly installed BX box was hit within a day of powering it up for configuration and site setups. It was, unfortunately, open by default, and I'd not gotten around to DNS beyond basics when it was found. We noticed this pattern once a machine is tagged as open: - Inbound DNS port traffic was a continuous 1.6Mbps to that machine. - The requests might switch to another IP for a while, but tended to favor only 2 or 3 most of the time. - It was only a total handfull (<15) of different (forged) IP's making the requests. Of course, the first thing was to close the DNS hole, so if the attackers were probing, we looked closed, so they didn't add any new ones. We then just dropped all the offending /24 blocks with iptables. Inbound requests remaind at 1.6 Mbps, but nothing was reaching the DNS server, so outbound traffic was 0. After about a month of packet dropping, the inbound hits stopped. We did see *occasional* short bursts of attempts at the same IPs sent to our known locked-down servers, but those died off within a minute or two. =^_^= Tigerwolf _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx