Re: DGA Attack mitigation

Monday, April 9, 2018 11:37 PM > > *To:* Rainer Duffner > > *Cc:* Mahdi Adnan; unbound-users@unbound.net > > *Subject:* Re: DGA Attack mitigation > > > > > > > > Rainer Duffner via Unbound-users wrote: > >> > >> > >>> Am 09.0

Re: DGA Attack mitigation

xie > *Sent:* Monday, April 9, 2018 11:37 PM > *To:* Rainer Duffner > *Cc:* Mahdi Adnan; unbound-users@unbound.net > *Subject:* Re: DGA Attack mitigation >   > > > Rainer Duffner via Unbound-users wrote: >> >> >>> Am 09.04.2018 um 20:04 schrieb Mahdi

Re: DGA Attack mitigation

Thank you all for your response, -- Respectfully Mahdi A. Mahdi From: Paul Vixie Sent: Monday, April 9, 2018 11:37 PM To: Rainer Duffner Cc: Mahdi Adnan; unbound-users@unbound.net Subject: Re: DGA Attack mitigation Rainer Duffner via Unbound-users wrote

Re: DGA Attack mitigation

Rainer Duffner via Unbound-users wrote: Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users mailto:unbound-users@unbound.net>>: Im running 20 Unbound servers and around 20% of response are NXDOMAIN, for queries coming from my clients. Block those IPs that are obviously p4wned u

Re: DGA Attack mitigation

2018-04-09 16:15 GMT-03:00 Paul Vixie via Unbound-users : > > > Rainer Duffner via Unbound-users wrote: >> >> >> >>> Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users >>> mailto:unbound-users@unbound.net>>: >>> >>> Im running 20 Unbound servers and around 20% of response are NXDOMAIN, >>

Re: DGA Attack mitigation

Rainer Duffner wrote: Am 09.04.2018 um 21:15 schrieb Paul Vixie mailto:p...@redbarn.org>>: the source addresses are forged. the victims are not unclean in any way. this is why rrl exists. ... Most people using our resolvers use our CPE, our lines, our servers…. And the rest doesn’t even h

Re: DGA Attack mitigation

rrl can help. it has a separate quota for negative responses, usually on a source /24 basis that is narrow enough to encompass specific reflection victims. re: Mahdi Adnan via Unbound-users wrote: Hi, Im wondering how Unbound users are handling DGA and DGA like attacks. Im running 20 Unbound

Re: DGA Attack mitigation

> Am 09.04.2018 um 21:15 schrieb Paul Vixie : > > the source addresses are forged. the victims are not unclean in any way. this > is why rrl exists. Sorry. We „know“ our clients, mostly. Obviously, we’re a smaller shop. Most people using our resolvers use our CPE, our lines, our servers….

Re: DGA Attack mitigation

Rainer Duffner via Unbound-users wrote: Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users mailto:unbound-users@unbound.net>>: Im running 20 Unbound servers and around 20% of response are NXDOMAIN, for queries coming from my clients. Block those IPs that are obviously p4wned u

Re: DGA Attack mitigation

> Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users > : > > Im running 20 Unbound servers and around 20% of response are NXDOMAIN, for > queries coming from my clients. Block those IPs that are obviously p4wned until they clean up their PCs?

Re: DGA Attack mitigation

Hi, generally speaking 20 % of NXDOMAIN (or even more) is about normal pattern we see in normal traffic. Blame Google Chrome and the like, they use it do detect DNS hijacking. Aggressive use of DNSSEC-validated cache will help for signed zones but there is no real 'solution' except fixing clients

Re: DGA Attack mitigation

users@unbound.net Subject: Re: DGA Attack mitigation Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users mailto:unbound-users@unbound.net>>: Im running 20 Unbound servers and around 20% of response are NXDOMAIN, for queries coming from my clients. Block those IPs that are obviously p

DGA Attack mitigation

Hi, Im wondering how Unbound users are handling DGA and DGA like attacks. Im running 20 Unbound servers and around 20% of response are NXDOMAIN, for queries coming from my clients. Anyone experienced this kind of attack before ? if so, how do you protect your servers against it ? is there somet