Re: [CentOS] BIND server getting DDOS
On Wed, 3 Aug 2022, Gordon Messmer wrote: On 8/3/22 11:08, Mark Milhollan wrote: Usually that's someone hoping to use you in a reflection attack Doesn't a reflection attack require the reflecting server to answer queries? I'd think that the server logging that the query was denied would indicate that it is not vulnerable to that type of abuse. The server did send a DNS response packet to the apparent sources, just not as large as an attacker usually hopes for -- a referral is 800+ bytes vs REFUSED which is about 30. So a successful reflection but not quite the level of attack desired. The source addresses might be correct but in that case the systems are misconfigured since they want to resolve the root to an IP address, perhaps due to a recent update. /mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND server getting DDOS
On 2022-08-03 23:20, Gordon Messmer wrote: On 8/3/22 11:08, Mark Milhollan wrote: Usually that's someone hoping to use you in a reflection attack Doesn't a reflection attack require the reflecting server to answer queries? I'd think that the server logging that the query was denied would indicate that it is not vulnerable to that type of abuse. While this is true, denial of those queries doesn't prevent that server from potentially being flooded with those queries. -- Mike Burger http://www.bubbanfriends.org "It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND server getting DDOS
On 8/3/22 11:08, Mark Milhollan wrote: Usually that's someone hoping to use you in a reflection attack Doesn't a reflection attack require the reflecting server to answer queries? I'd think that the server logging that the query was denied would indicate that it is not vulnerable to that type of abuse. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND server getting DDOS
On 03/08/2022 19:08, Mark Milhollan wrote: On Tue, 2 Aug 2022, Robert Moskowitz wrote: I just, maybe, figured out why I have been having problems with my CentOS DNS server with BIND 9.11.4. Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.216.196#64956 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 64.68.114.141#39466 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 209.197.198.45#13280 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.202.117#41955 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 62.109.204.22#4406 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:49 onlo named[6155]: client @0xa9420720 64.68.104.9#38518 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:50 onlo named[6155]: client @0xaa882dc8 114.29.202.117#9584 (.): view external: query (cache) './A/IN' denied Usually that's someone hoping to use you in a reflection attack, which is successful since UDP can be forged but it hasn't got the volume it might if you answered differently (with a referral). Sometimes it is a policy denial attack, hoping you will block the apparent source thus denying it service. The only way to stop it is for all others to employ BCP 38 which will likely never happen, or for you to stop allowing outside use of your nameserver which means having someone else handle DNS for you (which just seems to stop it, from your perspective). It shouldn't cause problems unless your server is vastly underpowered. What problems are you experiencing? Enabling rate limiting in BIND can help. https://kb.isc.org/docs/aa-00994 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND server getting DDOS
On Tue, 2 Aug 2022, Robert Moskowitz wrote: I just, maybe, figured out why I have been having problems with my CentOS DNS server with BIND 9.11.4. Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.216.196#64956 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 64.68.114.141#39466 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 209.197.198.45#13280 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.202.117#41955 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 62.109.204.22#4406 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:49 onlo named[6155]: client @0xa9420720 64.68.104.9#38518 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:50 onlo named[6155]: client @0xaa882dc8 114.29.202.117#9584 (.): view external: query (cache) './A/IN' denied Usually that's someone hoping to use you in a reflection attack, which is successful since UDP can be forged but it hasn't got the volume it might if you answered differently (with a referral). Sometimes it is a policy denial attack, hoping you will block the apparent source thus denying it service. The only way to stop it is for all others to employ BCP 38 which will likely never happen, or for you to stop allowing outside use of your nameserver which means having someone else handle DNS for you (which just seems to stop it, from your perspective). It shouldn't cause problems unless your server is vastly underpowered. What problems are you experiencing? /mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND server getting DDOS
On 8/2/22 14:03, Robert Moskowitz wrote: I just, maybe, figured out why I have been having problems with my CentOS DNS server with BIND 9.11.4. Can you tell us more about what problem you've been having? Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied grep -c denied messages 46038 And that is since Jul 31 3am. If I'm not mistaken, your system is averaging one query denied every 4.6 seconds. That's not a large volume, as an average. Probably not a DDOS... A DNS server connected to the internet is very likely to get occasional q ueries. Anyone have recommendations on how to stop this? If this server is the authoritative server for domains: completely turn off recursive support. Authoritative servers should serve their authoritative domains, only. If this server offers recursive queries to your local network, use its firewall to allow traffic from the networks that are allowed to make queries, and drop all other traffic. Disable connection tracking for port 53 in your firewall. https://kb.isc.org/docs/bind-best-practices-recursive https://kb.isc.org/docs/aa-01183 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND server getting DDOS
Maybe try Fail2Ban on your server? -Original Message- From: CentOS On Behalf Of Robert Moskowitz Sent: Tuesday, August 2, 2022 2:03 PM To: CentOS mailing list Subject: [External] [CentOS] BIND server getting DDOS I just, maybe, figured out why I have been having problems with my CentOS DNS server with BIND 9.11.4. Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.216.196#64956 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 64.68.114.141#39466 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 209.197.198.45#13280 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.202.117#41955 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 62.109.204.22#4406 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:49 onlo named[6155]: client @0xa9420720 64.68.104.9#38518 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:50 onlo named[6155]: client @0xaa882dc8 114.29.202.117#9584 (.): view external: query (cache) './A/IN' denied grep -c denied messages 46038 And that is since Jul 31 3am. Anyone have recommendations on how to stop this? thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] BIND server getting DDOS
I just, maybe, figured out why I have been having problems with my CentOS DNS server with BIND 9.11.4. Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.216.196#64956 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 64.68.114.141#39466 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 209.197.198.45#13280 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.202.117#41955 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 62.109.204.22#4406 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:49 onlo named[6155]: client @0xa9420720 64.68.104.9#38518 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:50 onlo named[6155]: client @0xaa882dc8 114.29.202.117#9584 (.): view external: query (cache) './A/IN' denied grep -c denied messages 46038 And that is since Jul 31 3am. Anyone have recommendations on how to stop this? thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
