LEAP 15.5
named 9.16.44
We are the unhappy target of DDoS attack on our little DNS server. Some one in Brazil appears to be requesting resolution for every Class C network IP in existence.
I have modified BIND named to rate-limit all queries (all-per-second 20
) to a max of 20 per second. This has reduced the CPU load to a reasonable level.
The attack, however, is creating huge log files. Both Suricata
and named
are generating log files 10 - 100 times larger than normal.
We cannot disable port 53 at the firewall; mail delivery requires a functioning DNS server. (We have our own MTA.)
Any other actions I could take to reduce the traffic?
Have a look at fail2ban - it can block addresses that are making too many requests, and you can configure it to be a temporary block. I used it on my systems to block attempts to hack ssh on some of my systems.
It should be in the standard repos.
I use fail2ban
to successfully block email dictionary attacks and other DNS attacks.
I tried fail2ban
for this as well. It does block unwanted IPs. The problem is that in less than an hour it had blocked nearly 20,000 IPs and the attack is apparently trying all 4 billion ipv4 addresses; it has been continuous since 28-Oct-2023.
I can, of course, have the programs stop logging. But it was the logs that showed the problem.
Here is a sampling of named’s rate-limit log. I do not know what the bit with google, apple, cisco is about; other IPs tested either resolve to Brazil or nothing.
31-Oct-2023 16:46:52.241 rate-limit: info: client @0x7fb90802ce10 186.211.98.151#19186 (google.com): rate limit drop all response to 186.211.98.0/24
31-Oct-2023 16:46:52.245 rate-limit: info: client @0x7fb90c016700 186.211.98.179#13039 (apple.com): rate limit drop all response to 186.211.98.0/24
31-Oct-2023 16:46:52.257 rate-limit: info: client @0x7fb911ec9cb0 186.211.98.190#16777 (apple.com): rate limit drop all response to 186.211.98.0/24
31-Oct-2023 16:46:52.277 rate-limit: info: client @0x7fb90802ce10 186.211.98.205#34790 (cisco.com): rate limit drop all response to 186.211.98.0/24
31-Oct-2023 16:46:52.285 rate-limit: info: client @0x7fb90c016700 186.211.98.148#44162 (google.com): rate limit drop all response to 186.211.98.0/24
There really seem to me to be three options here:
- Turn off logging (as you said, that revealed the problem)
- Block DNS queries entirely - possibly coupled with using a third-party DNS service like AWS’ Route53 to host your domain’s info
- Use something like fail2ban to ban the sources of the DDoS selectively
If you’re getting hit from over 20,000 separate addresses, then that may be something to talk with your service provider about mitigating and/or moving your DNS from a local server to a service that is better equipped to deal with a massive attack like this because they have a more complete infrastructure designed to deal with this type of thing.
I suppose a fourth option, if the attacks are coming from one geographic region, would be to block that region in its entirety. If it’s highly unlikely that you’d be receiving e-mail from that region, that might be an option.
1 Like
I discovered the UDP Flood protection settings in our firewall (sonicwall tz-350). After adjusting those settings a bit, the amount of spurious DNS requests has dropped dramatically.
1 Like
I further discovered that the firewall also does Geo-IP blocking. After blocking the country Brazil, the flood attack stopped completely.
1 Like