7

I recently discovered that my server was being used as part of a DNS DDOS. Basically, my BIND setup allowed recursion, and it was used to attack a certain IP address using IP spoofing.

I took the necessary measures to stop this, and disabled recursion. I'm no longer an amplifier, which I guess solves the large problem, but I'm still receiving the queries en mass, and BIND is replying with "denied" to all of them.

I'm just curious to know whether there's anything more I can do. I thought I might configure fail2ban to block them, doing something similar to the Debian recommendations, but according to other websites, and reasonable logic, this is not ideal, as an attacker could easily have me block any IP from accessing my server.

So what else can be done? Or should I just wait for the attackers to give up? Or hope they might rescan and delist me as an amplifier?

TRiG
  • 1,181
  • 3
  • 13
  • 30
Waleed Hamra
  • 751
  • 6
  • 16
  • 2
    If, your attack traffic targets a number of known IPs, then it's ok to blacklist them - either in iptables or inside the bind, don't need even fail2ban. Also see this question - http://serverfault.com/questions/438515/bind-blackhole-for-invalid-recursive-queries Also there's experimental rate-limiting patch for bind - http://www.redbarn.org/dns/ratelimits . – Sandman4 Nov 19 '12 at 21:02

1 Answers1

5

Basically, the fail2ban setup described in the linked article modifies the firewall to DROP (for a limited time) incoming DNS queries from source IPs that are not allowed to query your DNS server. Not a bad idea, but if you're not providing authoritative DNS for one or more domains to the internet, then why not forget about fail2ban, and just DROP all incoming DNS queries from the internet altogether?

If you are running an authoritative DNS server, then, unfortunately, you don't have the luxury of ignoring DNS queries. In that case, I don't think you have much choice but to leave things as you have them (recursion off), and patiently wait for a gradual drop-off in the incoming spoofed traffic. It sure would be nice to be able to configure bind itself to silently ignore queries that it's configured not to answer, but I don't think it has that feature. (Such behaviour would technically violate DNS protocol, after all.) Fail2ban does provide something of an alternative, but as you noted, it's not ideal.

Steven Monday
  • 13,599
  • 4
  • 36
  • 45