[ale] Fwd: Under Attack, my dns servers

[Lightner, Jeff]

Have you checked the source of the majority of the IPs?   In the past I was able to mitigate stuff like this by adding drop rules to iptables for ranges in certain countries (Russia and Rumania are two I recall).     Usually when I see this kind of event the majority is coming from a certain area or IP and I can address.   (Interestingly the most recent event turned out to be from our internal hand helds asking me for internal addresses via the external view and of course getting refused.

You can and SHOULD turn off recursion from external facing interface as anyone coming to you should only be resolving the domains for which you are authoritative.   You can leave recursion on for the internal facing network but should do that only if your internal folks use your DNS servers to resolve external domains (e.g. google.com, yahoo.com etc…).

If you’re only using a single interface (i.e. your DNS serer isn’t properly DMZ’d) you may not be able to turn off recursion in which case you should work on putting it in a DMZ so that you can segregate traffic to it.

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Chuck Payne
Sent: Monday, October 06, 2014 12:06 PM
To: Atlanta Linux Enthusiasts - Yes! We run Linux!
Subject: [ale] Fwd: Under Attack, my dns servers



Guys,
I am under attack where my dns server is being used to do a ddos attack. I believe it's a bot net, because the ip are too random. I don't think the domain I am seeing in my bind log is real
fkfkfkfz.guru

06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query: fkfkfkfz.guru IN ANY +E (50.192.59.225)
06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache) 'fkfkfkfz.guru/ANY/IN' denied
06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED response to 92.222.9.0/24<http://92.222.9.0/24>

I have turn on recursion, but now people can't find my domains any more.   I have also try to limit the rate as well

  rate-limit {
                responses-per-second 25;
                window 5;
        };

I am running Debian and openSUSE.
Anything I can do to stop them and make where people can find my domains? I don't want to have to pay for something I can do and have control over.

--
Terror PUP a.k.a
Chuck "PUP" Payne

678 636 9678<tel:678%20636%209678>
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- Terrorpup
openSUSE Ambassador/openSUSE Member
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363

Have you tried SUSE Studio? Need to create a Live CD,  an app you want to package and distribute , or create your own linux distro. Give SUSE Studio a try.



--
Terror PUP a.k.a
Chuck "PUP" Payne

678 636 9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- Terrorpup
openSUSE Ambassador/openSUSE Member
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363

Have you tried SUSE Studio? Need to create a Live CD,  an app you want to package and distribute , or create your own linux distro. Give SUSE Studio a try.



Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer

_________________________________________________________

CONFIDENTIALITY NOTICE: This e-mail may contain privileged

or confidential information and is for the sole use of the intended

recipient(s). If you are not the intended recipient, any disclosure,

copying, distribution, or use of the contents of this information

is prohibited and may be unlawful. If you have received this electronic

transmission in error, please reply immediately to the sender that

you have received the message in error, and delete it. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20141006/be45a07c/attachment.html>