How to prevent DoS attacks from non-spoofed IPs on DNS.
Ladislav Vobr
lvobr at ies.etisalat.ae
Mon Sep 29 04:12:01 UTC 2003
we had similar problem, (in 2000-3000 recursive requests per second, all
of them with random strings, thus not cached) unfortunatelly the bind
seems to be the last thing you can do something about it to stop this,
if the IP addresses are correct and they are your valid customers, (you
can definitely restrict the recursion to only your valid customers, have
you done it ?)
... rate limiting, configurable retry timeout, caching timeouts... (this
would I believe help in such a cases)
another things is to look for some alternatives how you can handle the
temporarily load, i believe having multiprocessor machine and bind with
multithreading might help, there are other sw solution which are tuned
specially for recursive dns service (nominum cns, power dns...) you can
test.
you have to make sure you are in charge of your network, and nobody can
spoof their ip address, by doing this you can partially succeed, but in
case of viruses or real ddos, this will not help)
> Last week one of our Web Servers was hit by large number of DNS Queries from
> several IPs
you ment DNS servers right ?
> around the world. The Domain that was mapped has our nameservers.
>
> Here is some stats:
>
> Number of DNS Queries were approx. more than 7,200 Per hour.
> Bandwidth: reached 100 times more than the normal average.
> Named was consuming more than 80% of the CPU Power.
> CPU temp was between 50 to 60.
> Load Average reached 20
> Logging-in SSH takes 3-4 minutes as DNS times out.
> Browsing website gives tcp ip error as DNS times out.
> /var/log/messages logs filled with the DNS queries below but from different
> IPs:
>
> "denied recursion for query from [195.141.214.35].53 for domain.com IN"
>
> Solution:
>
> We have made a perl script that scan /var/log/messages, grap attacking IPs,
> echo them into another file, sort them to remove duplicates and then trigger
> an IPchains
> blocking rule for each IP address. We were hoping to find the loop as the
> IPs appeared to be generated by a script and after collecting around 12,000
> IP addresses, the loop restarted from the begining.
>
> Well, that solved it and really I never thought the server will stand such
> Denial of Service but luckily it survived.
>
> My Question:
>
> Is there any other way to protect Servers from such attacks.. I mean
> something to do with BIND..
> I know the spoofed IPs can be ignored but all attacking IPs were real
> pingable IP addresses.
>
> Thanks
>
> Al-Juhani
> aljuhani at zajil.net
>
>
More information about the bind-users
mailing list