On 07/04/2013, at 10:28 AM, Jake Anderson wrote: > Presumably the requests are generally coming from a limited subset of > addresses. > I suggest grepping your logs, and pulling out all the requests matching those > patterns. > then pull out the distinct addresses. > then just putting a firewall block rule in place.
This doesn't really help much. The rates up from individual compromised machines are quite low, even major ISPs only see 0.5Mbps or so from compromised machines using DNS reflector DDoS. That's the essence of the "distributed" attack -- data rates are low enough to be "underneath the radar" from most viewpoints (although obviously not from viewpoint of the network being flooded). Configure a DNS primary or secondary server so that it only answers for non-recursive queries and only for those zones for which it is a primary or a secondary. If you are being hammered, then limit the size of the Additional Records to the minimum (e.g., make clients query for a second time to resolve a CNAME). Configure a DNS forwarder so that it only answers for the IP addresses range of the expected clients, and is bound only to the interface on which those queries are expected. Do give answers for unallocated networks rather than letting them recurse (see RFC1604). I really should update AUSCERT's AL1999-004 http://www.auscert.org.au/render.html?it=80&template=1 although apart from updating the bogon list and adding IPv6 there's not really that much which has changed in 13 years. -glen -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
