Unfortunately, the changes didn't yield much results. The flood attack happened again but at a different time.
Any more suggestions? Regards, izake On Mon, Mar 24, 2025 at 12:18 PM sir izake <siriz...@gmail.com> wrote: > thank you all > > "unbound-control get_option access-control" shows a list of IP blocks I > have allowed/denied. > > I have also done the explicit deny and recommended config hardening. > > I will monitor and see if the issue reoccurs. > > Thank you > izake > > > > > On Mon, Mar 24, 2025 at 10:48 AM <unbound-users-requ...@lists.nlnetlabs.nl> > wrote: > >> Send Unbound-users mailing list submissions to >> unbound-users@lists.nlnetlabs.nl >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users >> or, via email, send a message with subject or body 'help' to >> unbound-users-requ...@lists.nlnetlabs.nl >> >> You can reach the person managing the list at >> unbound-users-ow...@lists.nlnetlabs.nl >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Unbound-users digest..." >> >> >> Today's Topics: >> >> 1. Unbound dns resolver involved in DNS Amplification attack >> (sir izake) >> 2. Re: Unbound dns resolver involved in DNS Amplification attack >> (Yuri) >> 3. Re: Unbound dns resolver involved in DNS Amplification attack >> (Cristiano Deana) >> 4. Re: Unbound dns resolver involved in DNS Amplification attack >> (Yuri) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Mon, 24 Mar 2025 10:18:38 +0000 >> From: sir izake <siriz...@gmail.com> >> To: unbound-users@lists.nlnetlabs.nl >> Subject: Unbound dns resolver involved in DNS Amplification attack >> Message-ID: >> < >> caacq5hcu_6i_hqapfuaqwezhee_wd9mqdauo4njjigh8cmz...@mail.gmail.com> >> Content-Type: text/plain; charset="utf-8" >> >> Hi >> >> I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2 >> server. It is configured to only respond to queries from the local host >> and >> my network IP block. >> >> Recently, I detected my server was involved in a DNS amplification attack. >> By default unbound doesn't respond to any query outside those allowed in >> the access list in the config file. How do I uncover the source IPs >> involved and potentially block them. >> >> Are there other options I need to enable to prevent further amplification >> attacks? >> >> I have checked the server and don't see any suspicious process running. >> >> Your support and advice is greatly appreciated. >> >> Regards >> izake >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/a68a1439/attachment-0001.htm >> > >> >> ------------------------------ >> >> Message: 2 >> Date: Mon, 24 Mar 2025 15:32:42 +0500 >> From: Yuri <yvoi...@gmail.com> >> To: unbound-users@lists.nlnetlabs.nl >> Subject: Re: Unbound dns resolver involved in DNS Amplification attack >> Message-ID: <c957df77-cc37-4d5a-9dc0-8f3e78f0c...@gmail.com> >> Content-Type: text/plain; charset="utf-8"; Format="flowed" >> >> To begin, restrict access from outside using standard Unbound >> configuration (example from one of my setups): >> >> ??? access-control: 0.0.0.0/0 refuse >> ??? access-control: 127.0.0.0/8 allow_snoop >> ??? access-control: 192.168.0.0/16 allow_snoop >> ??? access-control: 172.16.0.0/12 allow_snoop >> ??? access-control: ::0/0 refuse >> ??? access-control: ::1 allow >> ??? access-control: ::ffff:127.0.0.1 allow >> >> Additionally, cut off external access with a server firewall and/or on >> the border. And finally, check the internal network to see if it is >> trooped. >> >> 24.03.2025 15:18, sir izake via Unbound-users ?????: >> > Hi >> > >> > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2 >> > server. It is configured to only respond to queries from the local >> > host and my network IP block. >> > >> > Recently, I detected my server was involved in a DNS amplification >> > attack.? By default unbound doesn't respond to any query outside those >> > allowed in the access list in the config file. How do I uncover the >> > source IPs involved and potentially block them. >> > >> > Are there other options I need to enable to prevent further >> > amplification attacks? >> > >> > I have checked the server and don't?see any suspicious process running. >> > >> > Your support and advice is greatly appreciated. >> > >> > Regards >> > izake >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/45920e7f/attachment-0001.htm >> > >> >> ------------------------------ >> >> Message: 3 >> Date: Mon, 24 Mar 2025 11:33:26 +0100 >> From: Cristiano Deana <cristiano.de...@megaweb.it> >> To: unbound-users@lists.nlnetlabs.nl >> Subject: Re: Unbound dns resolver involved in DNS Amplification attack >> Message-ID: <b25581c2-8068-440a-b590-f0e3ad612...@megaweb.it> >> Content-Type: text/plain; charset=UTF-8; format=flowed >> >> Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto: >> >> Hi, >> >> > I run an unbound dns cache resolver (version 1.22.0) on a freebsd 14.2 >> > server. It is configured to only respond to queries from the local host >> > and my network IP block. >> >> what do you get with `unbound-control get_option access-control'? >> >> > Recently, I detected my server was involved in a DNS amplification >> > attack.? By default unbound doesn't respond to any query outside those >> > allowed in the access list in the config file. How do I uncover the >> > source IPs involved and potentially block them. >> > >> > Are there other options I need to enable to prevent further >> > amplification attacks? >> > >> > I have checked the server and don't?see any suspicious process running. >> > >> > Your support and advice is greatly appreciated. >> > >> > Regards >> > izake >> >> -- >> >> ############################### >> # Cristiano Deana # >> # # >> # Senior Network Engineer # >> # Digital Response Team # >> # CittaStudi S.p.a. # >> # off. +39 015 855 1172 # >> # cell +39 328 310 6392 # >> ############################### >> >> >> >> ------------------------------ >> >> Message: 4 >> Date: Mon, 24 Mar 2025 15:48:03 +0500 >> From: Yuri <yvoi...@gmail.com> >> To: unbound-users@lists.nlnetlabs.nl >> Subject: Re: Unbound dns resolver involved in DNS Amplification attack >> Message-ID: <55c63a28-03e3-4bbf-9b58-80b5786c9...@gmail.com> >> Content-Type: text/plain; charset="utf-8"; Format="flowed" >> >> Ah, I was inattentive. It seems to me that a consistent set of actions >> is needed here, as in the case of an incident. Listening to traffic - in >> order to catch illegitimate traffic and try to determine its source. >> Scanning the external access point for open ports. Checking the firewall >> and routing settings. And - yes, of course, it is worth starting with >> checking the config and its hardening. >> >> 24.03.2025 15:33, Cristiano Deana via Unbound-users ?????: >> > Il 24/03/2025 11:18, sir izake via Unbound-users ha scritto: >> > >> > Hi, >> > >> >> I run an unbound dns cache resolver (version 1.22.0) on a freebsd >> >> 14.2 server. It is configured to only respond to queries from the >> >> local host and my network IP block. >> > >> > what do you get with `unbound-control get_option access-control'? >> > >> >> Recently, I detected my server was involved in a DNS amplification >> >> attack.? By default unbound doesn't respond to any query outside >> >> those allowed in the access list in the config file. How do I uncover >> >> the source IPs involved and potentially block them. >> >> >> >> Are there other options I need to enable to prevent further >> >> amplification attacks? >> >> >> >> I have checked the server and don't?see any suspicious process running. >> >> >> >> Your support and advice is greatly appreciated. >> >> >> >> Regards >> >> izake >> > >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250324/b2d8cd29/attachment.htm >> > >> >> ------------------------------ >> >> Subject: Digest Footer >> >> _______________________________________________ >> Unbound-users mailing list >> Unbound-users@lists.nlnetlabs.nl >> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users >> >> >> ------------------------------ >> >> End of Unbound-users Digest, Vol 63, Issue 9 >> ******************************************** >> >
