Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Today's DDoS

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Today's DDoS

Chronological Thread 
  • From: Guillaume Parent <gparent AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] Today's DDoS
  • Date: Thu, 28 Mar 2013 13:04:12 -0400

Thank you very much,

On Mar 28, 2013 12:17 PM, "Stefan Sabolowitsch" <Stefan.Sabolowitsch AT> wrote:
Hi Guillaume,
sure no problem. I reported last year in this list "dns-operations AT".

Hi all,
We all fight against dDOS, DOS to our DNS Server

short small example:
2-Nov-2012 07:45:58.339 client ( query: IN ANY +ED (
22-Nov-2012 07:45:58.453 client ( query: IN ANY +ED (
22-Nov-2012 07:45:58.661 client ( query: IN ANY +ED (
22-Nov-2012 07:46:00.065 client ( query: IN ANY +ED (
22-Nov-2012 07:46:01.696 client ( query: IN ANY +ED (
22-Nov-2012 07:46:01.786 client ( query: IN ANY +ED (
22-Nov-2012 07:46:03.075 client ( query: IN ANY +ED (
22-Nov-2012 07:46:03.509 client ( query: IN ANY +ED (

I found this nice patch from dns / dnssec Expert Lutz Donnerhacke here:

An this small Information on this List.

After this patch and with this Parameters in named.conf

       dampening {
                    exempt-clients {;;;;;;;; };
                    report-interval 60 ;
                    score-per-query 1 ;
                    score-first-query 10 ;
                    min-table-size 500 ;
                    max-table-size 1000 ;
                    limit-maximum 32000 ;
                    # limit-enable-dampening min. 0.3 from limit-maximum
                    limit-enable-dampening 16000 ;
                    # limit-disable-dampening min. 0.1 from limit-maximum or limit-enable-dampening
                    limit-disable-dampening 5100 ;
                    limit-irrelevant 150 ;
                    score-qtype-any 100 ;
                    score-duplicates 100 ;
                    IPv4-prefix-length 24 ;
                    IPv6-prefix-length 48 ;
now i found in named.log this new information:

27-Nov-2012 15:56:08.181 client ( query: IN ANY +ED ( 15956
27-Nov-2012 15:56:08.181 dampening activated.

In the first Line at end, there is now the score value "15956"
In the second line you can see that this IP address /netblock in "Dampening" has come (limit-enable-dampening 16000).

After a week of testing, i can say it works very well.
I need no local firewall parameters or scripts to protect my test DNS server.

And here you can find all test, information about "DNS Dampening"

Perhaps this information is also interesting for other  with DNS servers.


Am 28.03.2013 um 16:59 schrieb Guillaume Parent <gparent AT>:


If it works well, can we have a few details about it? I'm starting to have a decent firewall setup but I think all of us would benefit from the info.


On Mar 28, 2013 10:56 AM, "Stefan Sabolowitsch" <Stefan.Sabolowitsch AT> wrote:
Hi Jeff / all
Thank you for your help but i have a good solution with DNS Dampening and a pro active IPS / FW.
Thus, all systems are stable and accessible (i hope so for the future).


Am 28.03.2013 um 15:29 schrieb Jeff Taylor <shdwdrgn AT>:

Have you looked at http://wiki.opennic.glue/Tier2Security ?
If you can post a few examples of what you're getting from tcpdump, we could try to help.  Having several example packets will tell me if the bot hitting you is using a single port, or if there is a pattern in the attack we can use to block them.  Unfortunately the log snippet you posted does not give any useful info.

On 03/28/2013 02:06 AM, Stefan Sabolowitsch wrote:
Hi all, 
I can not say that it is quiet / silent for me.
On all three DNS Servers, i've been constantly DNS attacks for about 4 weeks and this with 1 -2 k requests per second

really small example:
03/28/2013-06:13:39.134900 [Drop] [**] [1:2016016:6] ET CURRENT_EVENTS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} ->

But help me out here DNS Dampening and an pro active IPS System.


Archive powered by MHonArc 2.6.19.

Top of Page