Limiting DDoS attacks on a nameserver

/dev/rob0 rob0 at
Tue May 24 17:31:06 UTC 2011

I'm being hit by a collection of scoundrels all using source port 53, 
seeking ''. No, I am not authoritative 
for that name. This happened on

========= :: :: :: :: not found: 2(SERVFAIL)
		network:OrgName:RAVENOUS-NETWORKS :: ::
		(NXDOMAIN, but owned by Sprint) :: :: :: :: ::
		(NXDOMAIN, but owned by Sprint) ::

Logs of the last one:
May 24 01:13:45 cardinal named[1096]: client query 
(cache) '' denied
May 24 01:14:15 cardinal last message repeated 956 times
May 24 01:15:15 cardinal last message repeated 1998 times
May 24 01:16:15 cardinal last message repeated 2886 times
May 24 01:17:15 cardinal last message repeated 3839 times
May 24 01:18:15 cardinal last message repeated 3872 times
May 24 01:19:15 cardinal last message repeated 3952 times
May 24 01:20:15 cardinal last message repeated 3981 times
May 24 01:21:10 cardinal last message repeated 3530 times
May 24 01:21:11 cardinal named[1096]: client query 
(cache) '' denied
May 24 01:21:42 cardinal last message repeated 1973 times
May 24 01:22:43 cardinal last message repeated 3925 times
May 24 01:23:44 cardinal last message repeated 3849 times
May 24 01:24:45 cardinal last message repeated 3850 times
May 24 01:25:45 cardinal last message repeated 3857 times
May 24 01:26:24 cardinal last message repeated 2457 times

If you're keeping score at home, that was 44927 until I blocked it in 
the firewall. Another 4695 hits on the firewall means it did almost 
50K queries in approximately 13-15 minutes total.

All the attackers were doing similar things, but most were not so 
easy to calculate the total. because at 2011-05-23 01:12 UTC there 
were two of them hitting at the same time. And that also leads to an 
interesting observation: when there were two hitting, there were 
*exactly* two. One would stop, and another (which might have been 
previously attacking) would take its place. This kept up until 01:39, 
when I saw the activity and blocked the offending (spoofed?) IP 
addresses in the firewall.

Above is all that I have seen so far on 2011-05-24, but there too the 
timing is interesting: it leads me to believe I can expect a resumed 
assault at 01:10-:15 UTC tonight. But since some of the attacking IP 
addresses might already be blocked, it might not show in the log.

1. What is this? Is it targeted at me (my site) personally, or some 
   kind of worm/malware crawling the Internet?
2. Is it harming me, other than the waste of bandwidth and logging?
3. Is there anything that I can (or should) do with named to limit
   or mitigate these attacks?
  3a. Can named trigger an external action on receipt of a certain
4. What can be done outside of named about this?
  4a. fail2ban, I know about, but would rather not.
  4b. Linux iptables -m recent connection limiting

Linux iptables "recent" match:
I know how to do this; in fact I have firewalls limiting both SSH and 
SIP access using -m recent rules. What I am not so sure about: how 
much is a "safe" limit? I think if I set a limit of maybe a hundred
queries in 10 seconds, I would stop this kind of attack without 
affecting normal resolution.

In a related matter, as noted, this attack was all on source port 53. 
It's not safe to block source port 53, is it? I suppose there are 
lots of broken resolvers out there which are still using source port 
53. But maybe my "recent" limitations should only apply to --sport 53 

Here is what I did with -m recent for SIP:
The approach for DNS, at least on the UDP side, will have to be 
similar, because this whole attack would be in conntrack --ctstate 
ESTABLISHED (after the initial refused query.)
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

More information about the bind-users mailing list