[ale] Fwd: Under Attack, my dns servers

Michael H. Warfield mhw at WittsEnd.com
Mon Oct 6 15:47:05 EDT 2014


On Mon, 2014-10-06 at 15:13 -0400, Horkan Smith wrote:
> Can you share the lines where you control access (including recursion)?  In my case, they look like:
> 
> named.conf.options:
>         allow-transfer { home-nets; domain-backups; };
>         allow-recursion { home-nets; domain-backups; };
>         allow-query { home-nets; domain-backups; };

It's worth noting that these do not prevent attackers from exploiting
your own name servers to attack you internally.  They just spoof the
requests from your internal (even private) addresses to request huge
blocks of response data which will then be cached in your servers and
reflected back to hammer you.  It's much better if you can block access
from the external net (either external interface or at your router) to
your recursive cacher, which then blocks incoming spoofed packets from
your internal addresses.  Most firewalls can discriminate between
recursive requests and terminal requests, so you'll still end up needing
a non-recursive DNS server for your authoritative zones.

Regards,
Mike

> Where home-nets and domain-backups are defined as acls.
> 
> later!
>    horkan
> 
> 
> On Mon, Oct 06, 2014 at 12:03:39PM -0400, Chuck Payne wrote:
> > Guys,
> > 
> > I am under attack where my dns server is being used to do a ddos attack. I
> > believe it's a bot net, because the ip are too random. I don't think the
> > domain I am seeing in my bind log is real
> > 
> > fkfkfkfz.guru
> > 
> > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query: fkfkfkfz.guru IN
> > ANY +E (50.192.59.225)
> > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)
> > 'fkfkfkfz.guru/ANY/IN' denied
> > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED response
> > to 92.222.9.0/24
> > 
> > I have turn on recursion, but now people can't find my domains any more.
> > I have also try to limit the rate as well
> > 
> >   rate-limit {
> >                 responses-per-second 25;
> >                 window 5;
> >         };
> > 
> > 
> > I am running Debian and openSUSE.
> > 
> > Anything I can do to stop them and make where people can find my domains? I
> > don't want to have to pay for something I can do and have control over.
> > 
> > -- 
> > Terror PUP a.k.a
> > Chuck "PUP" Payne
> > 
> > 678 636 9678
> > -----------------------------------------
> > Discover it! Enjoy it! Share it! openSUSE Linux.
> > -----------------------------------------
> > openSUSE -- Terrorpup
> > openSUSE Ambassador/openSUSE Member
> > skype,twiiter,identica,friendfeed -- terrorpup
> > freenode(irc) --terrorpup/lupinstein
> > Register Linux Userid: 155363
> > 
> > Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
> > package and distribute , or create your own linux distro. Give SUSE Studio
> > a try.
> > 
> > 
> > 
> > 
> > -- 
> > Terror PUP a.k.a
> > Chuck "PUP" Payne
> > 
> > 678 636 9678
> > -----------------------------------------
> > Discover it! Enjoy it! Share it! openSUSE Linux.
> > -----------------------------------------
> > openSUSE -- Terrorpup
> > openSUSE Ambassador/openSUSE Member
> > skype,twiiter,identica,friendfeed -- terrorpup
> > freenode(irc) --terrorpup/lupinstein
> > Register Linux Userid: 155363
> > 
> > Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
> > package and distribute , or create your own linux distro. Give SUSE Studio
> > a try.
> 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> 
> 

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20141006/9b330bd5/attachment.sig>


More information about the Ale mailing list