discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DoS amp attack today

From: Jeff Taylor <shdwdrgn AT sourpuss.net>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] DoS amp attack today
Date: Mon, 15 Apr 2013 22:31:03 -0600

Rate-limiting is the best first-step in this game. Even if you can't prevent your server from being used in an attack, you can at least greatly limit the actual damage being done to yourself and the intended target. I would highly recommend that ALL public DNS servers implement some manner of rate limiting.

I haven't really found anything else that would help us, but that doesn't mean I didn't miss it. Is anyone familiar with a tool like fail2ban that we could use? Ideally I'd like to see a short-term ban on any IP's making excessive queries for a single domain. Most IP's are spoofed anyway, so there's no reason to hold them for more than a few minutes after they stop flooding. I think anything past about 50 queries (and probably less) in 1 minute should be dropped completely, not even sending a reply or reject after that point. If we can at least prevent all of the OpenNic servers from being listed as useful attack points, it could help reduce the overall number of attacks, and would definitely improve our image in network security.

On 04/15/2013 09:10 PM, David Norman wrote:

Yeah, my server ended up in the middle of a DoS on a German game site
about a week ago. It made the ddos.pl script peg one of my CPU cores,
which took over an hour to figure out what to block.

Kenny Taylor published some iptables rules to help on the list and my
server has calmed down. I suspect if I turned on logging that I would
still find things I wouldn't be happy about. I find it hard to believe
that we need to be inventing our own iptables rules for a public
recursive DNS server.

The bigger question I have is - has anyone here really spent the time
to see if someone has compiled a list of realistic, protective rules?

On 4/15/13 9:21 PM, Guillaume Parent wrote:
> Hey guys,

> Got hit by my first semi significant DoS today, about 28 queries
> per second caused 4 Mbps outbound.

> CPU went from 4-6% to 20%. The whole thing went on for about 4-5
> hours until I blacklisted the 3 IPs involved.

> They requested a massive TXT record that was on a russian server
> somewhere.

> Anyone see something similar?

>
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

[opennic-discuss] DoS amp attack today, Guillaume Parent, 04/15/2013
- Re: [opennic-discuss] DoS amp attack today, Kenny Taylor, 04/15/2013
- Re: [opennic-discuss] DoS amp attack today, David Norman, 04/15/2013
  - Re: [opennic-discuss] DoS amp attack today, Jeff Taylor, 04/16/2013
    - Re: [opennic-discuss] DoS amp attack today, Tim Groeneveld, 04/16/2013
      - Re: [opennic-discuss] DoS amp attack today, Tim Groeneveld, 04/16/2013
        
        Re: [opennic-discuss] DoS amp attack today, Stefan Sabolowitsch, 04/16/2013
        
        Re: [opennic-discuss] DoS amp attack today, Futuro, 04/16/2013
        
        Re: [opennic-discuss] DoS amp attack today, Jeff Taylor, 04/16/2013
        
        Re: [opennic-discuss] DoS amp attack today, Guillaume Parent, 04/16/2013
        Re: [opennic-discuss] DoS amp attack today, Jeff Taylor, 04/16/2013
        Re: [opennic-discuss] DoS amp attack today, Jamyn Shanley, 04/17/2013
        Re: [opennic-discuss] DoS amp attack today, Julian DeMarchi, 04/17/2013
        
        Re: [opennic-discuss] DoS amp attack today, mike, 04/16/2013