Re: [Pdns-users] PDNS Authoritative Server DDOS Protection
Hi Hamed, On 07/21/2018 08:08 AM, Hamed Haghshenas wrote: > For attacks build by Mausezahn with small Src Address subnet, worked > fine and blocked every /32 subnet that reach the query rate . but > when use big SRC subnet like /20 it can't manage the queries and CPU > rate increase . What is the size of your in-memory ring buffers? The dynamic blocks code uses them to look at recent queries and responses, and to apply the rate limits. If you have a very high number of queries per second, you might need to increase the size of the buffers (see [1]) so we are scanning at least a few seconds of traffic. But more importantly, if you have more than one receiver thread (created with addLocal()) or backend thread (created with newServer()) you'll want to take advantage of the sharding of the buffers introduced in 1.3.0 to limit lock contention. I have had good results with the following setRingBuffersSize(): setRingBuffersSize(100, 500) It increases the size of the buffers to 1M entries instead of the 10k default, which might be a bit too much depending on your usage, and split them into 500 shards so a thread is much less likely to be waiting for another one to finish using the buffers. > could you please let me know is there any way to force Dyn blocked > function check /24 subnet instead of /32 and, for every /24 SRC > subnet, if query rate exceed then block /24 subnet . for example for > 10.10.10.0/24, if query rate exist 10 for 10s then block > 10.10.10.0/24. I'm afraid there is currently no way to do that with dnsdist. Please feel free to open a new feature request at [2] so we remember to look into it. [1]: https://dnsdist.org/reference/config.html#setRingBuffersSize [2]: https://github.com/PowerDNS/pdns/issues/new Best regards, Remi > -Original Message- From: Pdns-users > [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of bert > hubert Sent: Tuesday, July 17, 2018 3:49 PM To: > pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] PDNS > Authoritative Server DDOS Protection > > On Tue, Jul 17, 2018 at 03:24:22PM +0430, Hamed Haghshenas wrote: >> Could you please let me know how handle these large DDOS attacks? > > Hi Hamed, > > Please take a look at > https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup > > This is specifically meant for the case of many different IP > addresses attacking you. > > Good luck! > > ___ Pdns-users mailing > list Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users > > > ___ Pdns-users mailing > list Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users > -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ signature.asc Description: OpenPGP digital signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS Authoritative Server DDOS Protection
Hi, Is there any update here? Could anyone help me on this ? BR, Hamed Haghshenas -Original Message- From: Hamed Haghshenas [mailto:haghshe...@chavoosh.com] Sent: Saturday, July 21, 2018 10:38 AM To: 'pdns-users@mailman.powerdns.com' Subject: RE: [Pdns-users] PDNS Authoritative Server DDOS Protection Hi Bert, Thanks for your solution, I use it same as below: local dbr = dynBlockRulesGroup() dbr:setQueryRate(3, 10, "Exceeded query rate", 60) dbr:setRCodeRate(dnsdist.NXDOMAIN, 3, 10, "Exceeded NXD rate", 60) dbr:setRCodeRate(dnsdist.SERVFAIL, 3, 10, "Exceeded ServFail rate", 60) dbr:setQTypeRate(dnsdist.ANY, 3, 10, "Exceeded ANY rate", 60) dbr:setResponseByteRate(5000, 10, "Exceeded resp BW rate", 60) function maintenance() dbr:apply() end For attacks build by Mausezahn with small Src Address subnet, worked fine and blocked every /32 subnet that reach the query rate . but when use big SRC subnet like /20 it can't manage the queries and CPU rate increase . could you please let me know is there any way to force Dyn blocked function check /24 subnet instead of /32 and, for every /24 SRC subnet, if query rate exceed then block /24 subnet . for example for 10.10.10.0/24, if query rate exist 10 for 10s then block 10.10.10.0/24. BR, Hamed Haghshenas -Original Message- From: Pdns-users [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of bert hubert Sent: Tuesday, July 17, 2018 3:49 PM To: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] PDNS Authoritative Server DDOS Protection On Tue, Jul 17, 2018 at 03:24:22PM +0430, Hamed Haghshenas wrote: > Could you please let me know how handle these large DDOS attacks? Hi Hamed, Please take a look at https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup This is specifically meant for the case of many different IP addresses attacking you. Good luck! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS Authoritative Server DDOS Protection
Hi Bert, Thanks for your solution, I use it same as below: local dbr = dynBlockRulesGroup() dbr:setQueryRate(3, 10, "Exceeded query rate", 60) dbr:setRCodeRate(dnsdist.NXDOMAIN, 3, 10, "Exceeded NXD rate", 60) dbr:setRCodeRate(dnsdist.SERVFAIL, 3, 10, "Exceeded ServFail rate", 60) dbr:setQTypeRate(dnsdist.ANY, 3, 10, "Exceeded ANY rate", 60) dbr:setResponseByteRate(5000, 10, "Exceeded resp BW rate", 60) function maintenance() dbr:apply() end For attacks build by Mausezahn with small Src Address subnet, worked fine and blocked every /32 subnet that reach the query rate . but when use big SRC subnet like /20 it can't manage the queries and CPU rate increase . could you please let me know is there any way to force Dyn blocked function check /24 subnet instead of /32 and, for every /24 SRC subnet, if query rate exceed then block /24 subnet . for example for 10.10.10.0/24, if query rate exist 10 for 10s then block 10.10.10.0/24. BR, Hamed Haghshenas -Original Message- From: Pdns-users [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of bert hubert Sent: Tuesday, July 17, 2018 3:49 PM To: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] PDNS Authoritative Server DDOS Protection On Tue, Jul 17, 2018 at 03:24:22PM +0430, Hamed Haghshenas wrote: > Could you please let me know how handle these large DDOS attacks? Hi Hamed, Please take a look at https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup This is specifically meant for the case of many different IP addresses attacking you. Good luck! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS Authoritative Server DDOS Protection
On Tue, Jul 17, 2018 at 03:24:22PM +0430, Hamed Haghshenas wrote: > Could you please let me know how handle these large DDOS attacks? Hi Hamed, Please take a look at https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup This is specifically meant for the case of many different IP addresses attacking you. Good luck! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS Authoritative Server DDOS Protection
Dear bert, Hi, and thanks for your solution, I configure the dnsdist like below : setLocal("172.16.1.98:53", {reuseport=true}) addLocal('127.0.0.1:53') newServer("127.0.0.1:5300") newServer("172.16.1.106:5300") setACL({'0.0.0.0/0'}) addAction(MaxQPSIPRule(2, 24, 48), DropAction()) carbonServer("172.16.1.166", "web45-dnsdist") controlSocket('127.0.0.1:5199') setConsoleACL('127.0.0.0/24') setKey("6mJMt0+Bh7nmtCd0hzxvA5UtsywEpfTq8V4uvWYequc=") webserver("172.16.1.98:8083", "Chav00sh", "6mJMt0+Bh7") I use Mausezahn to simulate DOS and DDOS attack. when check the webserver and my metronome, in DOS attack do best and CPU is in low rate but when make DDOS attack with random SRC IP Addresses the CPU increase to 90%, many queries drops, and the match rule is not effective . Could you please let me know how handle these large DDOS attacks? use the EBPF kernel can manage DDOS? Noted I use this command to make DDOS attacks . mz eno1628 -A rand -B 172.16.1.98 -t dns "q=geo.web45.ir" -c 0 -d 1 -4 BR, Hamed Haghshenas -Original Message- From: bert hubert [mailto:bert.hub...@powerdns.com] Sent: Saturday, July 7, 2018 4:39 PM To: Hamed Haghshenas Cc: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] PDNS Authoritative Server DDOS Protection On Sat, Jul 07, 2018 at 03:49:16PM +0430, Hamed Haghshenas wrote: > I'm using PDNS Authoritative Server 4.1.3, today I see my server not > response and error or timeout on resolves . Hi Hamed, What you can best do is install dnsdist and put it in front of your authoritative servers. Try this dnsdist.conf, assuming your auth server will listen on 127.0.0.1 and your current auth server IP is 1.2.3.4: newServer("127.0.0.1") setLocal("1.2.3.4") addAction(MaxQPSIPRule(10), DropAction()) This restricts each individual IP address to 10 queries per second. I also recommend you setup the internal webserver which will give you a good feel for what is going on, https://dnsdist.org/guides/webserver.html If you don't want to drop, you can also shift traffic to TCP which stops most attacks: addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction()) If this is not enough, you could use the EBPF kernel based limits as described in https://dnsdist.org/advanced/ebpf.html This allows you to filter like 20gbit/s of unwanted traffic if need be, but it does require a recent kernel. Good luck! > > When check the server see to many DNS requests from some IPs from > Brazil like DDOS attack. To fix errors and timeouts, I block the > attacker subnet in my firewall . > > > > Now could you please let me know how protect my server from DOS and > DDOS attacks ? > > > > Best Regards, > > > > Hamed Haghshenas > > > > > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS Authoritative Server DDOS Protection
On Sat, Jul 07, 2018 at 03:49:16PM +0430, Hamed Haghshenas wrote: > I'm using PDNS Authoritative Server 4.1.3, today I see my server not > response and error or timeout on resolves . Hi Hamed, What you can best do is install dnsdist and put it in front of your authoritative servers. Try this dnsdist.conf, assuming your auth server will listen on 127.0.0.1 and your current auth server IP is 1.2.3.4: newServer("127.0.0.1") setLocal("1.2.3.4") addAction(MaxQPSIPRule(10), DropAction()) This restricts each individual IP address to 10 queries per second. I also recommend you setup the internal webserver which will give you a good feel for what is going on, https://dnsdist.org/guides/webserver.html If you don't want to drop, you can also shift traffic to TCP which stops most attacks: addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction()) If this is not enough, you could use the EBPF kernel based limits as described in https://dnsdist.org/advanced/ebpf.html This allows you to filter like 20gbit/s of unwanted traffic if need be, but it does require a recent kernel. Good luck! > > When check the server see to many DNS requests from some IPs from Brazil > like DDOS attack. To fix errors and timeouts, I block the attacker subnet in > my firewall . > > > > Now could you please let me know how protect my server from DOS and DDOS > attacks ? > > > > Best Regards, > > > > Hamed Haghshenas > > > > > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS Authoritative Server DDOS Protection
Dear Mohamad, My Server is public and I offer my service to lots of domains so I can't specify the subnets. BR, Hamed Haghshenas From: Mohamad F. Barham [mailto:mbar...@birzeit.edu] Sent: Saturday, July 7, 2018 3:55 PM To: Hamed Haghshenas ; pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] PDNS Authoritative Server DDOS Protection in the conf file , you can specify the subnets those allowed to use this server s.t (default ) allow-from = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 _ From: Pdns-users < <mailto:pdns-users-boun...@mailman.powerdns.com> pdns-users-boun...@mailman.powerdns.com> on behalf of Hamed Haghshenas < <mailto:haghshe...@chavoosh.com> haghshe...@chavoosh.com> Sent: Saturday, July 7, 2018 2:19:16 PM To: <mailto:pdns-users@mailman.powerdns.com> pdns-users@mailman.powerdns.com Subject: [Pdns-users] PDNS Authoritative Server DDOS Protection Hi, I'm using PDNS Authoritative Server 4.1.3, today I see my server not response and error or timeout on resolves . When check the server see to many DNS requests from some IPs from Brazil like DDOS attack. To fix errors and timeouts, I block the attacker subnet in my firewall . Now could you please let me know how protect my server from DOS and DDOS attacks ? Best Regards, Hamed Haghshenas ~~ The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The University is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. ~~ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS Authoritative Server DDOS Protection
in the conf file , you can specify the subnets those allowed to use this server s.t (default ) allow-from = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 From: Pdns-users on behalf of Hamed Haghshenas Sent: Saturday, July 7, 2018 2:19:16 PM To: pdns-users@mailman.powerdns.com Subject: [Pdns-users] PDNS Authoritative Server DDOS Protection Hi, I’m using PDNS Authoritative Server 4.1.3, today I see my server not response and error or timeout on resolves . When check the server see to many DNS requests from some IPs from Brazil like DDOS attack. To fix errors and timeouts, I block the attacker subnet in my firewall . Now could you please let me know how protect my server from DOS and DDOS attacks ? Best Regards, Hamed Haghshenas ~~ The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The University is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. ~~ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PDNS Authoritative Server DDOS Protection
Hi, I'm using PDNS Authoritative Server 4.1.3, today I see my server not response and error or timeout on resolves . When check the server see to many DNS requests from some IPs from Brazil like DDOS attack. To fix errors and timeouts, I block the attacker subnet in my firewall . Now could you please let me know how protect my server from DOS and DDOS attacks ? Best Regards, Hamed Haghshenas ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users