discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Jeff Taylor <shdwdrgn AT sourpuss.net>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] Killed an IP due to excessive usage
- Date: Tue, 28 Dec 2010 20:51:01 -0700
- List-archive: <http://lists.darkdna.net/pipermail/discuss>
- List-id: <discuss.lists.opennicproject.org>
Today I have been seeing more varied traffic causing similar problems. I seem to get a flood of traffic every now and then, and then it will disappear for a few hours. Initially I was blocking by IP again to regain my connection, but that is such a heavy-handed approach and I'm not happy with it.
I've been digging into this more, and found some interesting info. First off, in every case (both the other day and today), the queries always have this specific string in common:
query: isc.org IN ANY +ED
I started digging on google and immediately found some interesting info. First off, isc.org is the group responsible for BIND. Second, there are MANY reports of DNS based DDOS attacks, always pointed at isc.org, and always using the ANY flag in their query. The nature of the attack is that for a very small query, it returns a huge amount of data.
This brings up a question: Is this attack (using the OpenNic DNS servers as the attacker) aimed at isc.org, or is it geared towards rendering opennic servers inoperative? I don't know that we have a way to answer this question.
So what do we do about this situation? Judging by the info from google, the attacks are being propagated by botnets, so we can't just simply start creating a list of blocked IP's, or it would quickly get out of hand. Since there is such a specific message being shown in my log files, I thought perhaps something like fail2ban may be useful... block the offending IP for a set period of time, then clear the ban. Unfortunately I wasn't able to find any useful info on how to create my own rules under fail2ban... perhaps someone else would have experience with this?
My next option is using a rule under iptables. It has the ability to limit traffic to a set number of packets within a timeframe. This seems like a good option to do real-time traffic limiting without permanently banning and trying to manage a list of IP's. So at the moment I am testing the following rule:
iptables -A INPUT -p udp --dport 53 -m limit --limit 20/s --limit-burst 40 -j DROP
This rule should limit DNS packets to 20 per second, but allows an initial burst of up to 40 packets. That should be more than enough for any normal traffic to come through, but still limit how much traffic the server is willing to handle from a single source. During one of the 'attacks' earlier today, I tracked a single IP requesting around 4,000 queries per minute for over 6 minutes -- well over any reasonably expected traffic.
Now I say this rule 'should' limit traffic, because as I type this I am seeing another wave coming through from two IP's that prompted my blocks earlier today. Apparently the rule is not doing what I expect as my bandwidth jumped from about 10Kb/s to over 1800Kb/s (two IP addresses slamming me with about 16,000 queries in 3 minutes). So again, if someone else has more experience with iptables, I've love to see a proper rule for this situation.
- [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/24/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Dean Gardiner, 12/24/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Günter Grodotzki, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Günter Grodotzki, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Christopher, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Larry Brower, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Julian De Marchi, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Julian De Marchi, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Larry Brower, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Julian De Marchi, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Christopher, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Dean Gardiner, 12/24/2010
Archive powered by MHonArc 2.6.19.