Re: Stopping ddos

2022-08-04 Thread Ed Daniel
On 02/08/2022 22:04, Saleck wrote: Dne úterý 2. srpna 2022 22:02:58 CEST, Robert Moskowitz napsal(a): Recently I have been having problems with my server not responding to my requests. I thought it was all sorts of issues, but I finally looked at the logs and: Aug 2 15:47:19 onlo

Re: Stopping ddos

2022-08-04 Thread Lyle Giese
Just my opinion. Don't rate limit tcp.  The RRL feature in Bind only rate limits UDP.  UDP is connection-less and the source address can be forged, generating DDOS traffic to a 3rd party. Proper DNS software will fall back to TCP.  Because TCP is connection based, much harder to forge

Re: Stopping ddos

2022-08-03 Thread Paul Kosinski via bind-users
On Wed, 3 Aug 2022 13:47:41 +0200 Victor Johansson via bind-users wrote: > Hey, > > I just want to add that there is a better way to do this in iptables > with hashlimit. The normal rate limit in iptables is too crude. > > Below is an example from the rate-limit-chain, to which you simply

Re: rate limiting queries with firewall (was: Stopping ddos)

2022-08-03 Thread Grant Taylor via bind-users
On 8/2/22 3:15 PM, Grant Taylor via bind-users wrote: It looks like you're dealing with A queries for the root domain.  I've blocked this, and similar queries, via iptables firewall in the past. I've seen a number of responses to Robert's "Stopping ddos" thread discussing using

Re: Stopping ddos

2022-08-03 Thread Nathan Ollerenshaw via bind-users
On 8/2/22 3:29 PM, Robert Moskowitz wrote: My clients use my internal view.  My external view has:     match-clients        { any; };     match-destinations    { any; };     allow-query        { any; };     allow-query-cache    { localhost; };     recursion no; it's been a while but I

Re: Stopping ddos

2022-08-03 Thread Robert Moskowitz
Thanks.  I will look into this. On 8/3/22 07:47, Victor Johansson via bind-users wrote: Hey, I just want to add that there is a better way to do this in iptables with hashlimit. The normal rate limit in iptables is too crude. Below is an example from the rate-limit-chain, to which you

Re: Stopping ddos

2022-08-03 Thread Victor Johansson via bind-users
Hey, I just want to add that there is a better way to do this in iptables with hashlimit. The normal rate limit in iptables is too crude. Below is an example from the rate-limit-chain, to which you simply send all port 53 traffic from the INPUT chain (make sure to exclude

Re: Stopping ddos

2022-08-02 Thread Peter
On Tue, Aug 02, 2022 at 11:16:15PM +0200, Michael De Roover wrote: ! For my servers I'm using iptables rules to achieve ratelimiting. They ! look as follows: ! -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent -- ! update --seconds 600 --hitcount 4 --name DEFAULT --mask

Re: Stopping ddos

2022-08-02 Thread Robert Moskowitz via bind-users
On 8/2/22 17:30, Nathan Ollerenshaw via bind-users wrote: On 8/2/22 1:02 PM, Robert Moskowitz wrote: Recently I have been having problems with my server not responding to my requests.  I thought it was all sorts of issues, but I finally looked at the logs and: You're being used as an

Re: Stopping ddos

2022-08-02 Thread KEVIN DARCY via bind-users
ts.isc.org Subject: RE: Stopping ddos >> Any best practices on this? >> >> I am running bind 9.11.4 >> >> thanks > You could think about adding fail2ban to your server with some custom rules. > Helped us in a similar situation. You could also take advantage o

Re: Stopping ddos

2022-08-02 Thread Nathan Ollerenshaw via bind-users
On 8/2/22 1:02 PM, Robert Moskowitz wrote: Recently I have been having problems with my server not responding to my requests.  I thought it was all sorts of issues, but I finally looked at the logs and: Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view

RE: Stopping ddos

2022-08-02 Thread Richard T.A. Neal
>> Any best practices on this? >> >> I am running bind 9.11.4 >> >> thanks > You could think about adding fail2ban to your server with some custom rules. > Helped us in a similar situation. You could also take advantage of BIND's built-in Response Rate Limiting which is explained here:

Re: Stopping ddos

2022-08-02 Thread Michael De Roover
For my servers I'm using iptables rules to achieve ratelimiting. They look as follows: -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent -- update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP -A INPUT -p tcp -m tcp --dport 25 -m state --state

Re: Stopping ddos

2022-08-02 Thread Grant Taylor via bind-users
On 8/2/22 2:02 PM, Robert Moskowitz wrote: Any best practices on this? It looks like you're dealing with A queries for the root domain. I've blocked this, and similar queries, via iptables firewall in the past. Also, make sure that you apply the same BIND ACL to the cache that you do for

Re: Stopping ddos

2022-08-02 Thread Saleck
Dne úterý 2. srpna 2022 22:02:58 CEST, Robert Moskowitz napsal(a): > Recently I have been having problems with my server not responding to my > requests. I thought it was all sorts of issues, but I finally looked at > the logs and: > > Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80

Stopping ddos

2022-08-02 Thread Robert Moskowitz
Recently I have been having problems with my server not responding to my requests.  I thought it was all sorts of issues, but I finally looked at the logs and: Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied Aug  2