<div dir="ltr">That's my problem. I am running Debian and I don't know a good, easy to use firewall. These servers are import because I used as a lab, everything was great until three weeks ago. :( These boxes are public facing, I do things running people need to access. </div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 6, 2014 at 3:47 PM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com" target="_blank">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, 2014-10-06 at 15:13 -0400, Horkan Smith wrote:<br>
> Can you share the lines where you control access (including recursion)? In my case, they look like:<br>
><br>
> named.conf.options:<br>
> allow-transfer { home-nets; domain-backups; };<br>
> allow-recursion { home-nets; domain-backups; };<br>
> allow-query { home-nets; domain-backups; };<br>
<br>
</span>It's worth noting that these do not prevent attackers from exploiting<br>
your own name servers to attack you internally. They just spoof the<br>
requests from your internal (even private) addresses to request huge<br>
blocks of response data which will then be cached in your servers and<br>
reflected back to hammer you. It's much better if you can block access<br>
from the external net (either external interface or at your router) to<br>
your recursive cacher, which then blocks incoming spoofed packets from<br>
your internal addresses. Most firewalls can discriminate between<br>
recursive requests and terminal requests, so you'll still end up needing<br>
a non-recursive DNS server for your authoritative zones.<br>
<br>
Regards,<br>
Mike<br>
<div><div class="h5"><br>
> Where home-nets and domain-backups are defined as acls.<br>
><br>
> later!<br>
> horkan<br>
><br>
><br>
> On Mon, Oct 06, 2014 at 12:03:39PM -0400, Chuck Payne wrote:<br>
> > Guys,<br>
> ><br>
> > I am under attack where my dns server is being used to do a ddos attack. I<br>
> > believe it's a bot net, because the ip are too random. I don't think the<br>
> > domain I am seeing in my bind log is real<br>
> ><br>
> > fkfkfkfz.guru<br>
> ><br>
> > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query: fkfkfkfz.guru IN<br>
> > ANY +E (50.192.59.225)<br>
> > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)<br>
> > 'fkfkfkfz.guru/ANY/IN' denied<br>
> > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED response<br>
> > to <a href="http://92.222.9.0/24" target="_blank">92.222.9.0/24</a><br>
> ><br>
> > I have turn on recursion, but now people can't find my domains any more.<br>
> > I have also try to limit the rate as well<br>
> ><br>
> > rate-limit {<br>
> > responses-per-second 25;<br>
> > window 5;<br>
> > };<br>
> ><br>
> ><br>
> > I am running Debian and openSUSE.<br>
> ><br>
> > Anything I can do to stop them and make where people can find my domains? I<br>
> > don't want to have to pay for something I can do and have control over.<br>
> ><br>
> > --<br>
> > Terror PUP a.k.a<br>
> > Chuck "PUP" Payne<br>
> ><br>
> > <a href="tel:678%20636%209678" value="+16786369678">678 636 9678</a><br>
> > -----------------------------------------<br>
> > Discover it! Enjoy it! Share it! openSUSE Linux.<br>
> > -----------------------------------------<br>
> > openSUSE -- Terrorpup<br>
> > openSUSE Ambassador/openSUSE Member<br>
> > skype,twiiter,identica,friendfeed -- terrorpup<br>
> > freenode(irc) --terrorpup/lupinstein<br>
> > Register Linux Userid: 155363<br>
> ><br>
> > Have you tried SUSE Studio? Need to create a Live CD, an app you want to<br>
> > package and distribute , or create your own linux distro. Give SUSE Studio<br>
> > a try.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Terror PUP a.k.a<br>
> > Chuck "PUP" Payne<br>
> ><br>
> > <a href="tel:678%20636%209678" value="+16786369678">678 636 9678</a><br>
> > -----------------------------------------<br>
> > Discover it! Enjoy it! Share it! openSUSE Linux.<br>
> > -----------------------------------------<br>
> > openSUSE -- Terrorpup<br>
> > openSUSE Ambassador/openSUSE Member<br>
> > skype,twiiter,identica,friendfeed -- terrorpup<br>
> > freenode(irc) --terrorpup/lupinstein<br>
> > Register Linux Userid: 155363<br>
> ><br>
> > Have you tried SUSE Studio? Need to create a Live CD, an app you want to<br>
> > package and distribute , or create your own linux distro. Give SUSE Studio<br>
> > a try.<br>
><br>
> > _______________________________________________<br>
> > Ale mailing list<br>
> > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> > <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> > See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> > <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
><br>
<br>
--<br>
</div></div>Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20978-7061" value="+17709787061">(770) 978-7061</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
<br>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Terror PUP a.k.a<br>Chuck "PUP" Payne<br> <br>678 636 9678<br>-----------------------------------------<br>Discover it! Enjoy it! Share it! openSUSE Linux.<br>-----------------------------------------<br>openSUSE -- Terrorpup<br>openSUSE Ambassador/openSUSE Member<br>skype,twiiter,identica,friendfeed -- terrorpup<br>freenode(irc) --terrorpup/lupinstein<br>Register Linux Userid: 155363<br> <br>Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute , or create your own linux distro. Give SUSE Studio a try.<br><br></div>
</div>