I was quite satisfied the ones I blacklisted were causing my CPU load to spike and have seen no ill effects from having blocked them. I wasn't suggesting anyone blacklist every IP they don't recognize but rather those that are trying the same thing over and over such as attempting to update one of my zones.
Restricting everything to port 53 would not have solved the CPU load issue since that is where the traffic was coming in already. -----Original Message----- From: bind-users-bounces+jlightner=water....@lists.isc.org [mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: Wednesday, January 20, 2010 3:53 AM To: bind-users@lists.isc.org Subject: Re: Server overwhelmed by rejections? On 19.01.10 08:29, Lightner, Jeff wrote: > Luckily my machines have enough horsepower not to shut down from this > but I have on occasion seen the CPU load start going up due to it. On > lowered powered machines this would likely cause what you're seeing. > > If you're running a firewall (external device or iptables on Linux) the > best way to deal with this is to determine the IP or IP range that is > hammering you and simply blacklist it (drop its packets). > > If you're not running a firewall you can blacklist the IPs in > named.conf. > In options insert a line like: > blackhole { blackhats; }; > Then create an acl called blackhats with the IPs or range you want to > drop: > acl "blackhats" { > x.x.x.x; x.x.x/22; > }; > In the above first x.x.x.x would be a single IP and the x.x.x/22 would > be an entire 22 CIDR for a given network. in response to some ddos attacks a year ago when many servers were receiving queries for ". IN NS" and advice was given - don't blackhole those IP addresses. At least some of them are real authoritative-only nameservers and putting them to blackhole would prevent your bind from reaching them. It's better to firewall off requests from those IP addresses to your port 53. If you have recursive-only nameserver, you can safely disable requests to it from unauthorized sources and allow only authorized networks. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users