Hello,
I have just subscribed here, but we have been dealing with this problem
for about a year.
Here is our solution - a watchdog script that does "unbound-control
dump_requestlist" at regular interval to see how many concurrent
recursive queries are being worked upon.
If there is a flood, this will spike over a defined limit (depending on
normal traffic), and the following action is taken:
The flooding queries have typically the same structure -
<random_string>.<some_domain>, co that the server cannot use cache and
wastes resources on doing a recursive query.
When the number of concurrent queries spike, the script counts them by
domain, and those domains that exceed a defined share (usually over a
quarter) are temporarily blacklisted via "ubound-control local_zone
deny" (you can use "reject" too, or serve an authoritative NXDOMAIN
answer if you prefer). This solution takes advantage of the fact that
legitimate queries are most often quickly finished, and only the bogus
ones pile up and clog the server's memory.
This temporary blacklist is cleared once a day automatically. All
blacklisted zones are logged and I review them regularly, there is an
absolute minimum of false positives. The script also supports
whitelisting of zones you never ever want to blacklist.
I can share the script if anyone is interested.
--
Best regards,
Daniel Ryšlink
System Administrator
Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
[email protected]
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------
On 03/31/2015 11:53 PM, Thomas wrote:
Hi,
We have the same problem.
Attacks are random and with many source IPs (botnets). Therefore it is
harder to have an automatic system to block source IPs. Our kind of
"workaround" was to increase the request_list size from the default
1024 to a higher number and to enable jostle-timeout to something like
4sec. Therefore requests do not stay too long in the request_list once
the box is under load. Manual iptables rules are not maintainable, we
only manually block IPs for the biggest hitter. I agree what we are
doing is _not_ a fix to the problem because we just allocated more
resources to deal with the junk, but jostle-timeout definetely helps.
I asked about it almost a year ago on this mailing-list.
Subject: Unbound DDoS / reflexion attack counter-measure ?
Date: 30/05/14 22:20
> Any solution that can be shared ?
By trying to find my previous post, I actually realised that I missed
Daisuke's email.
Subject: "a mitigation against random subdomain attack"
Date: 24/03/15
His solution: https://github.com/hdais/unbound-bloomfilter
I will test it when I have a bit of time.
Thomas
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
