I think our dns servers are being used like this message. https://lists.isc.org/pipermail/bind-users/2009-January/074639.html What got my attention is that I ran out of space for the logs. I tweaked log rotation and got rid of some unneeded logging. All 3 advocap.org authoritative dns servers are being hit. At least we are not ones being attacked. Recurse lookups are not allowed. Have a lot of log entries like this. Jan 31 10:56:48 fonroute named[17884]: client 70.86.80.98#23535: query (cache) ''./NS/IN'' denied At least I''m not sending back the cache but just a denied message. about 3 different ips are referenced. Some times about 2-3 per second per ip. Other times about 10 per minute per ip. I want to at least minimize us being used to attack and reduce logging. For now I am blocking a couple ips. How about rule like this: Limit:info:DNSA,20,300 net loc udp domain Considerations: Do not want to stop lookups of advocap.org Don''t want to stop transfers to/from slaves. Isn''t that via tcp anyway? advocap.org doesn''t have that much to lookup. Only about a dozen entries and suspect most are for mail.advocap.org www.advocap.org and for spf text. Any idea what good limits would be? Thanks John -- John McMonagle IT Manager Advocap Inc. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
John McMonagle wrote:> Considerations: > Do not want to stop lookups of advocap.org > Don''t want to stop transfers to/from slaves. Isn''t that via tcp anyway?Yes, it is.> > advocap.org doesn''t have that much to lookup. Only about a dozen entries > and suspect most are for mail.advocap.org www.advocap.org and for spf text. > > Any idea what good limits would be?I''m using "Limit:none:5,60" and it has slowed the bogus queries reaching my DNS server down to a trickle. Legitimate DNS servers should cache any response and since I only have a few hosts, this seemed like a reasonable setting to me. YYMV. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep wrote:> >> advocap.org doesn''t have that much to lookup. Only about a dozen entries >> and suspect most are for mail.advocap.org www.advocap.org and for spf text. >> >> Any idea what good limits would be? >> > > I''m using "Limit:none:5,60" and it has slowed the bogus queries reaching > my DNS server down to a trickle. > > Legitimate DNS servers should cache any response and since I only have a > few hosts, this seemed like a reasonable setting to me. YYMV. > > -Tom >Thanks Seems to help. I''ll try your settings. I tried a count of 20 and got an error on shorewall restart. Less than that is OK. No reason to go that high just figure I should mention it. Is there a way to test what ips are being blocked? John ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
John McMonagle wrote:> Tom Eastep wrote: >> >>> advocap.org doesn''t have that much to lookup. Only about a dozen entries >>> and suspect most are for mail.advocap.org www.advocap.org and for spf text. >>> >>> Any idea what good limits would be? >>> >> I''m using "Limit:none:5,60" and it has slowed the bogus queries reaching >> my DNS server down to a trickle. >> >> Legitimate DNS servers should cache any response and since I only have a >> few hosts, this seemed like a reasonable setting to me. YYMV. >> >> -Tom >> > Thanks > > Seems to help. > I''ll try your settings. > > I tried a count of 20 and got an error on shorewall restart. > Less than that is OK. > > No reason to go that high just figure I should mention it.No reason to mention it unless you include details - http://www.shorewall.net/support.htm#Guidelines.> > Is there a way to test what ips are being blocked?You have to look at (and interpret) /proc/net/ipt_recent. Basically, those with lots of entries are being blocked. I''ve been experimenting and think that I have a much better approach. Its only drawback is that it requires that you install the xtables addons; but that''s easy. And you must be using Shorewall-perl Add this to /etc/shorewall/actions: DNSDDOS Create /etc/shorewall/action.DDNSDOS: # This file is intentionally left empty Create /etc/shorewall/DDNSDOS as: use Shorewall::Chains; add_rule $chainref, q(-m string --algo kmp --from 2 --hex-string "|010000010000000000000000020001|" -j DROP) The add_rule call should all be on one line. In /etc/shorewall/rules: DNSDDOS net z:<dns server ip> udp domain ACCEPT net z:<dns server ip> udp domain That detects NS queries against "." and simply drops them. ''z'' is the zone where your DNS server lives. Specifying you dns server ip address is of course optional. Here it is in operation: Chain net2dmz (1 references) pkts bytes target prot opt in out source destination ... 554 25376 DNSDDOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 18 1256 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep wrote:> I''ve been experimenting and think that I have a much better approach. > Its only drawback is that it requires that you install the xtables > addons; but that''s easy. And you must be using Shorewall-perlActually, you do *not* need to install the xtables addons. Most distribution kernels alreay include string match. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep wrote:> add_rule $chainref, q(-m string --algo kmp --from 2 --hex-string > "|010000010000000000000000020001|" -j DROP)I misunderstood how string match works. The following rule restricts the match to exactly the place in the message where the tell-tale pattern occurs: add_rule $chainref, q(-m string --algo bm --from 29 --to 30 --hex-string "|010000010000000000000000020001|" -j DROP); -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword