Dear PDNS list,
i need some advice on an issue that we've been experiencing on our
public DNS servers the last days.
we have been, and still are currently the victims of a terrible DNS DOS
amplification attack.
im not sure how many others out there are experiencing this issue, but
im hoping that someone out there
may have useful PDNS tips that can be used as a counter-measure. (i've
attached a few lines below from the log files,
to give you an idea of what is going on). i am currently using PDNS AS
2.9.21.2-1 on debian 5 x86.
May 28 15:01:13 ns1 pdns[9603]: Not authoritative for 'filezilla.de
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:18 ns1 pdns[9603]: Not authoritative for 'filezilla.de
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:18 ns1 pdns[9603]: Not authoritative for 'filezilla.de
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:18 ns1 pdns[9603]: Not authoritative for 'blogylana.com
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:19 ns1 pdns[9603]: Not authoritative for 'blogylana.com
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:20 ns1 pdns[9603]: Not authoritative for 'blogylana.com
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:23 ns1 pdns[9603]: Not authoritative for 'filezilla.de
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:25 ns1 pdns[9603]: Not authoritative for 'filezilla.de
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:25 ns1 pdns[9603]: Not authoritative for 'blogylana.com
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:26 ns1 pdns[9603]: Not authoritative for 'filezilla.de
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:28 ns1 pdns[9603]: Not authoritative for 'filezilla.de
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:30 ns1 pdns[9603]: Not authoritative for 'blogylana.com
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:33 ns1 pdns[9603]: Not authoritative for 'blogylana.com
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:33 ns1 pdns[9603]: Not authoritative for 'filezilla.de
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:34 ns1 pdns[9603]: Not authoritative for 'blogylana.com
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:38 ns1 pdns[9603]: Not authoritative for 'blogylana.com
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:39 ns1 pdns[9603]: Not authoritative for 'filezilla.de
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:41 ns1 pdns[9603]: Not authoritative for 'filezilla.de
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:41 ns1 pdns[9603]: Not authoritative for 'blogylana.com
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion
was desired)
May 28 15:01:43 ns1 pdns[9603]: Not authoritative for 'blogylana.com
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion
was desired)
our DNS server is setup as an authoritative server for the zones we host
(via bind backend)...and i can confirm that all recursion has
been disabled on this authoritative server.
so far i have done the following:
- cache-ttl is set to 0
- distributor-threads set to 1
- max-tcp-connections set to 60
- negquery-cache-ttl set to 0
- setup IPtables with a chain to reject udp/tcp connections to port 53
if they create more than 7 connections per second
(most of the cache settings were disabled anyway, as it messes with a
highly modified geo backend that i use)
the firewall has helped alot... and our ourstream ISP has started
throttling traffic to our nameservers.. which has also helped
at the cost of some dropped legit requests.
apon discussion with one of the ISP's which we sent an abuse report for
one of their IP's, they seem to think they these IP address
have all been spoofed for this amplification attack.
any advice/criticism/tips would be appreciated
thanks
kalpesh
_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
