Hi Martin As I understand your description, this has absolutely nothing to do with your outgoing DNS-Requests.
When your CoLo Provider has already Null-routed all traffic to your IP this is a strong indicator for a distributed DOS attack. Usually this can be either DNS- or UDP-based. DNS-based happens when someone has found a noticeable number of third party recursive DNS-Resolvers. The attacker sends simple and small UDP-based DNS-requests to this resolvers and use your servers IP as source IP. This is why it is UDP-based. The involved resolvers will answer with larger responses than the request was (for example the entire SOA-part of the zone) and send all bytes to your server. For UDP-based attacks the attacker needs a larger remotely controlled botnet. (rentable for a couple of $$) The Backbone networks of these bots must be managed poorly in order that they allow outgoing udp floods with randomized ports and source IPs. In this case your provider will see millions of random source-IPs and -ports attacking all random ports of your server. This usually can be 0,5 up to 10 or 20 Gigabit/s of traffic. Your provider in order to protect his own network and other customers will null-route your traffic as long as he see your IP under attack. You can google for hardware and cloud-based DDOS prevention solutions and strategies. Hope this helps Markus Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im Auftrag von Martin Margheim Gesendet: Montag, 21. Dezember 2015 19:51 An: community@mailsbestfriend.com Betreff: [MBF] DNS Attack Recently, my SmarterMail Server underwent a DOS attack. I was puzzled at the server center's initial response indicating possible power issues. My first thought is always that hardware failed. In this instance, such was not the case. I was told my IP was being attacked and NULL Route was applied. A NULL Route essentially sends traffic to nowhere. Response from CO_LO Host. "I apologize if I was not clear in my previous response. We needed to block incoming DNS to the server as it appears to be the majority of attack traffic. Outbound DNS should still continue to function at this time." While I was given to believe the attack was IP based, the reference that later came through was DNS related. I used OPEN DNS on the server and felt if anyone could / would handle DNS, they would be a good choice. When I first learned of the DNS attack, I suggested using a different DNS. The center chose to continue with the NULL Route believing it would be the best choice at the time. The eventual result was placing a GOOGLE DNS as the primary DNS and the server came back online. I am attempting to gain additional information that will help determine what configurations should be put in place to help prevent in the future. The Google Primary is still in place. Thanks to Mailsbestfriend, email was successfully bucketed for later delivery. Fortunately, the attack came at the end of a work day so impact on business customers was minimal. I would entertain thoughts as to how to prepare in order to manage such events in the future. Martin
