Help in stopping DNS requests (DNS Amplification)
I lease a few servers from 1and1. Up until the beginning of last week, everything was functioning normally.
Starting last week one of my servers started receiving a massive increase in DNS traffic. There were between 100-200 requests per second with logs containing similar information to the following lines:
Further investigation identified huge log files and a massive amount of traffic. The traffic all requesting the above information, while spoofing the source ip. Blocking individual addresses required constant monitoring.
In order to reduce the log file size and CPU time, I implemented a set of iptables rules designed to:
I have successfully managed to drop all these requests at the firewall and releasing the strain on my servers' I/O and CPU time, however using iptraf and 'iptables -vnL --line-numbers' the traffic is still continuing with the following statistics after 24 hours:
My server specs:
AuthenticAMD, AMD Phenom(tm) II X6 1055T Processor (6 CPU)
100Mbps/sec full duplex
Linux 2.6.32-279.5.1.el6.x86_64 #1 SMP Tue Aug 14 23:54:45 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Plesk 11.0.9 (fully up-to-date)
'iptables' and 'ossec-hids'
8 IP addresses
authoritative name server (12 zones)
Thanks in advance,
Please read links / advice posted in: http://www.linuxquestions.org/questi...on-4175417284/, http://www.linuxquestions.org/questi...es-4175450008/ and maybe http://www.openlogic.com/wazi/bid/18...-DNS-with-BIND. You may find you have already implemented all of that but it never hurts to ensure you have. After checking / implementing that Netfilter rate limiting is still useful but you should not need IP blocking anymore (if you do use ipset instead) and having Netfilter do string matches is computationally way expensive (use a Snort rule instead). If you have ensured your NS can't be used for amplification attacks anymore you probably want to make BIND log less.
Thanks for the reply.
0) & 1) Bug report? : The Plesk Administrator's Guide explains! Link
While I do believe that the rate limiting I added to my firewall is helpful, I am concerned about any performance hit. The string matching is, as you stated; expensive but without this with the rate limiting on, named is using around 10% of 3/4 cores constantly.
Snort looks useful and ipset is exactly what I need. The links you provided are also very good for reference. Thanks
I will update what I do in due course.
FYI; statistics of iptables after 36 hours
|All times are GMT -5. The time now is 01:05 AM.|