On 01/22/2014 03:29 PM, Lonnie Olson wrote: > On Wed, Jan 22, 2014 at 1:33 PM, Daniel Fussell <[email protected]> wrote: >> The one thing I know is, I'm being continually scanned by what appears >> to be bots, on both tcp and udp, despite my refusal to do the recursion, >> perhaps under the assumption I might screw up and start recursing >> again. Moving to the assumption that I may be the intended target, my >> response would be to cut off their communication with my server before >> the server ever sees the packet; the sooner the drop, the better. > How bad is it? How much bandwidth or how many invalid queries per > second are you experiencing? > There is always some background noise associated with automated > vulnerability scans/worms going around. > > To filter those packets before they reach your nameserver you'll have > to employ some form of deep packet inspection. This requires just > about as much processing power as your nameserver requires unless you > buy specialized hardware. So the tradeoff becomes spending your time, > management of a new process/system, and/or hardware to gain decreased > outbound bandwidth usage. If the extraneous outbound bandwidth > usage is high enough to impact your bottom line, it would be in your > benefit to implement some form of DPI firewall like you were asking > about. But, IMHO, it's probably not worth the tradeoff. Just do some > simple blacklisting of extreme offenders. > > I am doing some filtering of the extreme offenders right now. But where it's a botnet, I'm getting lot's of new IP's everyday. I figure if they scan me for recursion and the packet doesn't come back, eventually the botnet will forget about me and move on. But as long as I return a denied message, they are going to continue trying in the hope that I may screw up the config again.
The root zones seems to have it bad as they can't disable recursion, and I suspect they are filtering based on query type and queried zone. ;-Daniel Fussell /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
