How to prevent DoS attacks from non-spoofed IPs on DNS.

Ladislav Vobr lvobr at ies.etisalat.ae
Mon Sep 29 04:12:01 UTC 2003


we had similar problem, (in 2000-3000 recursive requests per second, all 
of them with random strings, thus not cached) unfortunatelly the bind 
seems to be the last thing you can do something about it to stop this, 
if the IP addresses are correct and they are your valid customers, (you 
can definitely restrict the recursion to only your valid customers, have 
you done it ?)

... rate limiting, configurable retry timeout, caching timeouts... (this 
would I believe help in such a cases)

another things is to look for some alternatives how you can handle the 
temporarily load, i believe having multiprocessor machine and bind with 
multithreading might help, there are other sw solution which are tuned 
specially for recursive dns service (nominum cns, power dns...) you can 
test.

you have to make sure you are in charge of your network, and nobody can 
spoof their ip address, by doing this you can partially succeed, but in 
case of viruses or real ddos, this will not help)

> Last week one of our Web Servers was hit by large number of DNS Queries from
> several IPs

you ment DNS servers right ?


> around the world. The Domain that was mapped has our nameservers.
> 
> Here is some stats:
> 
> Number of DNS Queries were approx. more than 7,200 Per hour.
> Bandwidth: reached 100 times more than the normal average.
> Named was consuming more than 80% of the CPU Power.
> CPU temp was between 50 to 60.
> Load Average reached 20
> Logging-in SSH takes 3-4 minutes as DNS times out.
> Browsing website gives tcp ip error as DNS times out.
> /var/log/messages logs filled with the DNS queries below but from different
> IPs:
> 
> "denied recursion for query from [195.141.214.35].53 for domain.com IN"
> 
> Solution:
> 
> We have made a perl script that scan /var/log/messages, grap attacking IPs,
> echo them into another file, sort them to remove duplicates and then trigger
> an IPchains
> blocking rule for each IP address.  We were hoping to find the loop as the
> IPs appeared to be generated by a script and after collecting around 12,000
> IP addresses, the loop restarted from the begining.
> 
> Well, that solved it and really I never thought the server will stand such
> Denial of Service but luckily it survived.
> 
> My Question:
> 
> Is there any other way to protect Servers from such attacks.. I mean
> something to do with BIND..
> I know the spoofed IPs can be ignored but all attacking IPs were real
> pingable IP addresses.
> 
> Thanks
> 
> Al-Juhani
> aljuhani at zajil.net
> 
> 



More information about the bind-users mailing list