Server overwhelmed by rejections?

Wed Jan 20 13:47:37 UTC 2010

I was quite satisfied the ones I blacklisted were causing my CPU load to
spike and have seen no ill effects from having blocked them.   I wasn't
suggesting anyone blacklist every IP they don't recognize but rather
those that are trying the same thing over and over such as attempting to
update one of my zones.  

Restricting everything to port 53 would not have solved the CPU load
issue since that is where the traffic was coming in already.

-----Original Message-----
From: bind-users-bounces+jlightner=water.com at lists.isc.org
[mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf
Of Matus UHLAR - fantomas
Sent: Wednesday, January 20, 2010 3:53 AM
To: bind-users at lists.isc.org
Subject: Re: Server overwhelmed by rejections?

On 19.01.10 08:29, Lightner, Jeff wrote:
> Luckily my machines have enough horsepower not to shut down from this
> but I have on occasion seen the CPU load start going up due to it.
On
> lowered powered machines this would likely cause what you're seeing.
> 
> If you're running a firewall (external device or iptables on Linux)
the
> best way to deal with this is to determine the IP or IP range that is
> hammering you and simply blacklist it (drop its packets).  
> 
> If you're not running a firewall you can blacklist the IPs in
> named.conf.
> In options insert a line like:
> blackhole { blackhats; };
> Then create an acl called blackhats with the IPs or range you want to
> drop:
> acl "blackhats" {
>         x.x.x.x; x.x.x/22;
> };
> In the above first x.x.x.x would be a single IP and the x.x.x/22 would
> be an entire 22 CIDR for a given network.

in response to some ddos attacks a year ago when many servers were
receiving
queries for ". IN NS" and advice was given - don't blackhole those IP
addresses. At least some of them are real authoritative-only nameservers
and
putting them to blackhole would prevent your bind from reaching them.

It's better to firewall off requests from those IP addresses to your
port
53. If you have recursive-only nameserver, you can safely disable
requests
to it from unauthorized sources and allow only authorized networks.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Proud partner. Susan G. Komen for the Cure.

Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------