0

Today I got my VPS stucked.
Centos 7, 4 cores, Bind 9.11.
From ssh I got

Message from syslogd@host at Jul 18 09:46:16 ... kernel:NMI watchdog: BUG: soft lockup - CPU#0 stuck for 41s! [f2b/observer:1299]

From another ssh screen leaving top running I got at the end

top - 10:06:05 up 9:22, 1 user, load average: 101,26, 106,77, 94,46
Tasks: 318 total, 80 running, 218 sleeping, 0 stopped, 20 zombie

From /var/log/messages I have several lines like these ones

Jul 18 09:44:04 host named[1078]: client @0x7fb37010e820 192.182.160.249#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 09:44:04 host named[1078]: client @0x7fb37010e820 192.182.160.249#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 09:44:04 host named[1078]: client @0x7fb37010e820 97.100.253.26#3658 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 09:44:04 host named[1078]: client @0x7fb37011cfc0 192.182.160.249#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 09:44:04 host named[1078]: client @0x7fb370100080 97.100.253.26#3658 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 09:44:04 host named[1078]: client @0x7fb370100080 192.182.160.249#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied

After reseting the server it was all normal but after some hours problems came again.
At this time all is good but tailf /var/log messages outputs

Jul 18 12:33:13 host named[1017]: client @0x7fcde010e820 172.58.188.22#64587 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 12:33:18 host named[1017]: client @0x7fcde010e820 67.240.44.5#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 12:33:21 host named[1017]: client @0x7fcde010e820 172.58.188.22#64587 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 12:33:29 host named[1017]: client @0x7fcde010e820 172.58.188.22#64587 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 12:33:47 host named[1017]: client @0x7fcde010e820 67.240.44.5#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied

More spaced in time requests so they don't hurt but after a while... who knows.
How can I reject incoming requests from this known "domain.com" (or others)? This is a small budget server, cannot hire those services preventing DDOS attacks.

I followed these last instructions
I created /etc/named/block and added a zone at /etc/named.conf

It worked, tailf /var/log/messages doesn't list those requests anymore, but I don't know if it is a good idea doing it in that way.

UPDATE: screenshot

Daniel Franco
  • 9
  • 4
  • Well, even your server gets 5 million requests, its just a bit of noise, to stop this kind of requests, you have to fix it via fail2ban instead of named – djdomi Jul 22 '21 at 04:54
  • @djdomi I already have installed f2b from scratch. I don't know how to handle that issue with fail2ban. A webpage with 30 thumbnails produces a lot of requests in a short time. I added a screenshot of a crucial part of /var/log/messages. – Daniel Franco Jul 23 '21 at 23:36
  • I would suggest to enable rate limits and then use my regex for [fail2ban](https://github.com/djdomi/fail2ban-rules/blob/main/named/named-antispam/named-antispam.conf) – djdomi Jul 24 '21 at 13:41
  • then update your question with this information what you have tried too. and also remember that there some standard rules like named-refused-tcp or udp – djdomi Jul 24 '21 at 13:48
  • Soon as I can I will move to another vps and then follow your recommendations. There will be a delay. Thanks. – Daniel Franco Jul 24 '21 at 21:33

0 Answers0