Deny query from a single IP
Prabhat Rana
prana9533 at yahoo.com
Thu Feb 26 17:43:21 UTC 2009
Thanks Eric. Using blackhole option sounds like feasible option to block a IP address. Instead of using the acl can I just use the option blackhole
blackhole { xx.xx.xx.xx; };
The idea is to user file::tail perl module in a script to tail the stat file continuously and if the condition occurs then pick the source IP address and insert the line
blackhole { xx.xx.xx.xx; };
in the named.conf under options and reload the configuration.
During these attacks we've experienced that named basically hangs because it gets flooded with queries. With the blackhole option the recursion part to internet from such queries can be avoided but we can't avoid the incoming queries from the attacker. So we will need to test this is determine how effective is it.
--- On Thu, 2/26/09, Jeff Lightner <jlightner at water.com> wrote:
> From: Jeff Lightner <jlightner at water.com>
> Subject: RE: Deny query from a single IP
> To: "Eric C. Davis" <eric at mail.rockefeller.edu>, prana9533 at yahoo.com
> Cc: bind-users at lists.isc.org
> Date: Thursday, February 26, 2009, 10:38 AM
> That being said you CAN do what you asked:
>
> Create an ACL in named.conf:
>
> # Blackhats ACL - zones to be used in blackhole statement -
> will prevent
>
> # them from being allowed to query and will not respond to
> them.
> acl "blackhats" {
> xx.xx.xx.xx;
> };
>
> (Where you put the specific IP in place of the
> xx.xx.xx.xx.)
>
> Then in options section add a line to use the ACL:
> blackhole { blackhats; };
>
> -----Original Message-----
> From: bind-users-bounces at lists.isc.org
> [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Eric
> C. Davis
> Sent: Thursday, February 26, 2009 11:24 AM
> To: prana9533 at yahoo.com
> Cc: bind-users at lists.isc.org
> Subject: Re: Deny query from a single IP
>
> It is better do this with a real IPS rather than use your
> DNS server to
> do this. You should avoid having any unwanted traffic hit
> you DNS
> servers ever.
>
> Eric
> Prabhat Rana wrote:
> > Hello,
> > I have BIND 9.5running on a Solaris10 box. It provides
> recursive DNS
> service. I'm trying to implement a script where it
> reads the BIND stats
> file for all the incoming queries and if there are too many
> queries from
> a single user (source IP) it will block queries from that
> particular IP.
> In order for this to occur is there a parameter similar to
> allow-query
> that I can inject into the named.conf to block query from a
> single IP
> address when this condition occurs? Basically I'm
> trying to add a tool
> to detect potential DOS attacks where we see too many
> queries from one
> single IP. Any other suggestions would also be appreciated.
> >
> > Thanks
> > Prabhat.
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
> Please consider our environment before printing this e-mail
> or attachments.
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged
> or confidential information and is for the sole use of the
> intended recipient(s). If you are not the intended
> recipient, any disclosure, copying, distribution, or use of
> the contents of this information is prohibited and may be
> unlawful. If you have received this electronic transmission
> in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank
> you.
> ----------------------------------
More information about the bind-users
mailing list