[prev in list] [next in list] [prev in thread] [next in thread]
List: pdns-users
Subject: Re: [Pdns-users] pdns-recursor flooded with bogus lookups, SERVFAILs ensue
From: russell nealis <codemunkee () gmail ! com>
Date: 2014-03-31 19:49:43
Message-ID: CAMC-zb6jcRPSYWaXcic+xj_NmhaHNJtiTtc1ZGO9f+cbBHNaNg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Mon, Mar 31, 2014 at 1:13 AM, Peter van Dijk <
peter.van.dijk@netherlabs.nl> wrote:
> Hello Russell,
>
> On 29 Mar 2014, at 20:48 , russell nealis <codemunkee@gmail.com> wrote:
>
> > I understand the proper approach is to tell the customers to stop
> allowing DNS recursion on the public internet, and I'm working on that.
> However, I have thousands of customer machines and it's likely that this
> will crop up again. So my questions are:
> >
> > (1) Do you suspect this is a DNS amplification attack where my customers
> machines are getting abused? Or some other kind of attack (e.g. DNS cache
> poisoning?)
>
> https://blog.secure64.com/?p=377
>
> > (2) I've considered using iptables to slow down the query rate allowed
> by the customers but in the documentation it says I should be wary of using
> iptables since the volume of traffic could quickly overwhelm it? I noticed
> there is a throttle mechanism mentioned in the documentation but I can't
> determine whether that's something I can configure or if it's just built in
> logic.
>
> We don't have experience with using iptables rate limiting to mitigate
> this and cannot recommend for or against it.
>
> > (3) In general, what would you recommend to be proactive with something
> like this? I'm thinking about writing some code to run dnstop and look for
> customers that seem to be misconfigured and then put in ACLs on my network
> appliances to block their traffic to my recursors until they remedy their
> machines, however this seems heavy handed.
>
> One, please read
> http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/and \
> see if any of the suggestions in it are relevant for you. Two, upgrade your \
> Recursor to a recent GIT master, or to our latest 3.5.4-pre snapshot at \
> https://autotest.powerdns.com/job/recursor-git/1109/; then, glean some \
> configuration wisdom from https://github.com/PowerDNS/pdns/pull/1300
>
> Hope this helps; please let us know how it works out for you.
>
> Kind regards,
> --
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
>
>
Thank you for your help, Peter. I'll give it a go.
[Attachment #5 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, \
Mar 31, 2014 at 1:13 AM, Peter van Dijk <span dir="ltr"><<a \
href="mailto:peter.van.dijk@netherlabs.nl" \
target="_blank">peter.van.dijk@netherlabs.nl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hello Russell,<br> <div><br>
On 29 Mar 2014, at 20:48 , russell nealis <<a href="mailto:codemunkee@gmail.com" \
target="_blank">codemunkee@gmail.com</a>> wrote:<br> <br>
> I understand the proper approach is to tell the customers to stop allowing DNS \
recursion on the public internet, and I'm working on that. However, I have \
thousands of customer machines and it's likely that this will crop up again. So \
my questions are:<br>
><br>
> (1) Do you suspect this is a DNS amplification attack where my customers \
machines are getting abused? Or some other kind of attack (e.g. DNS cache \
poisoning?)<br> <br>
</div><a href="https://blog.secure64.com/?p=377" \
target="_blank">https://blog.secure64.com/?p=377</a><br> <div><br>
> (2) I've considered using iptables to slow down the query rate allowed by \
the customers but in the documentation it says I should be wary of using iptables \
since the volume of traffic could quickly overwhelm it? I noticed there is a throttle \
mechanism mentioned in the documentation but I can't determine whether that's \
something I can configure or if it's just built in logic.<br>
<br>
</div>We don’t have experience with using iptables rate limiting to mitigate \
this and cannot recommend for or against it.<br> <div><br>
> (3) In general, what would you recommend to be proactive with something like \
this? I'm thinking about writing some code to run dnstop and look for customers \
that seem to be misconfigured and then put in ACLs on my network appliances to block \
their traffic to my recursors until they remedy their machines, however this seems \
heavy handed.<br>
<br>
</div>One, please read <a \
href="http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/" \
target="_blank">http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/</a> \
and see if any of the suggestions in it are relevant for you.<br>
Two, upgrade your Recursor to a recent GIT master, or to our latest 3.5.4-pre \
snapshot at <a href="https://autotest.powerdns.com/job/recursor-git/1109/" \
target="_blank">https://autotest.powerdns.com/job/recursor-git/1109/</a>; then, glean \
some configuration wisdom from <a href="https://github.com/PowerDNS/pdns/pull/1300" \
target="_blank">https://github.com/PowerDNS/pdns/pull/1300</a><br>
<br>
Hope this helps; please let us know how it works out for you.<br>
<br>
Kind regards,<br>
<span><font color="#888888">--<br>
Peter van Dijk<br>
Netherlabs Computer Consulting BV - <a href="http://www.netherlabs.nl/" \
target="_blank">http://www.netherlabs.nl/</a><br></font></span><br></blockquote></div><br></div><div \
class="gmail_extra">Thank you for your help, Peter. I'll give it a go.</div> \
</div>
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic