On Fri, 29 Mar 2013, Colin Jack wrote:

> Can I tighten it up? We have 50+ DNS connections from the same IP at the
> same time. I would like to limit this to say 2 ;0)

Last year, a newly installed BX box was hit within a day of powering it up
for configuration and site setups.  It was, unfortunately, open by
default, and I'd not gotten around to DNS beyond basics when it was found.

We noticed this pattern once a machine is tagged as open:
- Inbound DNS port traffic was a continuous 1.6Mbps to that machine.
- The requests might switch to another IP for a while, but tended to
  favor only 2 or 3 most of the time.
- It was only a total handfull (<15) of different (forged) IP's making
  the requests.

Of course, the first thing was to close the DNS hole, so if the attackers
were probing, we looked closed, so they didn't add any new ones.

We then just dropped all the offending /24 blocks with iptables.  Inbound
requests remaind at 1.6 Mbps, but nothing was reaching the DNS server, so
outbound traffic was 0.  After about a month of packet dropping, the
inbound hits stopped.

We did see *occasional* short bursts of attempts at the same IPs sent to
our known locked-down servers, but those died off within a minute or two.

=^_^=  Tigerwolf
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

Reply via email to