On 09/01/18 11:10, Anthony de Boer via talk wrote:
Michael Galea via talk wrote:
I am experiencing what I believe is a DNS amplification attack on my bind9 DNS server.
I'm seeing very of the following on different IPs 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ [1au] ANY? USADF.GOV. (38)
My server responds 20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 Refused- 0/0/1 (38)
I imagine the IPs are spoofed.
I agree with the diagnosis, but IMHO it might be better to configure your nameserver not to respond at all to such queries, especially as anything you emit at all is likely going to a victim of an attack.
Internet-exposed DNS servers should really only respond to queries in domains for which they're authoritive. Recursive servers should be kept private enough to respond only to their local users.
Disclaimer: it's been years since I ran nameservers for a midsized ISP and had to be on top of all this.
I regularly test my email and dns servers, to ensure they are non-forwarding/non-recursive. Someone on the list posted a dns testing link (https://zonemaster.iis.se) recently and I used it to reconfirm I am still non-recursive. My server isn't responding to request for a domain its not authoritative for, its issuing a harmful refusal to an innocent target spoofed by an attacker. Out of interest, after I got fail2ban/shorewall working the way I want, I turned it off and activated rate limiting in bind. There are pros and cons to each. I will say I like the bind solution better because it is simpler and doesn't add software. The fail2ban solution is cleaner in that eliminates all further traffic (until the unban time), and as shorewall drops the attackers packets, there is no confirmation to the attackers or wasteful refusal sent to the attackers target. Bind rate limiting will let a bit of that happen. I have no conclusions yet. After 20 hours of the fail2ban solution being in place, the attackers stop attacking. So bind rate limiting hasn't had a chance to demonstrate itself. Am I missing some other configuration in bind? -- Michael Galea