nsd users - Dec 2015 - Amplification attack how to stop it

Hi all,

We have a big  problem  all 3 of our dns servers are under Amplification attack
As soon as we start nsd we send out 50 mbit to the internet.
Any ideas how can stop this .


We run NSD version 4.1.2 (most recent in ondrej nlnetlabs ppa)

My nsd.conf can be found here: http://pastebin.com/kAHcRiVf

suggestions are greatly appreciated
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20151203/41ae4af7/attachment.htm>

On 03/12/15 17:58, Bas van den Dikkenberg wrote:

Hi Bas,
> We have a big  problem  all 3 of our dns servers are under Amplification
attack
> As soon as we start nsd we send out 50 mbit to the internet.
> Any ideas how can stop this .
> 
> We run NSD version 4.1.2 (most recent in ondrej nlnetlabs ppa)
> 
> My nsd.conf can be found here: http://pastebin.com/kAHcRiVf
It all depends on the type of query traffic you're receiving. For some
types of query patterns, Response Rate Limiting (RRL) can help, but you
have to enable it at compile time with "--enable-ratelimit". If your
config file is just an edited copy of the sample, then it doesn't look
like you have RRL code compiled in. If you have the possibility to
recompile NSD quickly, then you can try to build RRL in, and use it.

There are a number of RRL config options to set or tune, but the 2 main
ones are:

rrl-ratelimit:
rrl-slip:

If you set rrl-ratelimit to something like "10", then the first 10
responses within a 1-second window, to the same destination network,
will be allowed. After that, within that same 1-second window, any more
responses which are the same as the first 10, to the same destination
network, will be dropped.

However, not all responses are dropped. This is controlled by the value
of "rrl-slip". NSD's default is 2. This means that out of every 2
responses above the limit, one response will be dropped, and the other
response will be a small one, with the "truncated" bit set. This
allows
a genuine client a 50% chance of seeing the response with the TC bit,
and it can retry over TCP.

NSD default value of 2 for "rrl-slip" has 2 effects:

1. It halves the number of response packets NSD outputs; and

2. It lowers the outgoing bandwidth.

If you set "rrl-slip" to 3, then out of every 3 responses above the
limit, 2 will be dropped, and 1 will "slip through" with the TC bit
set.
Higher values of "rrl-slip" will keep reducing the outgoing response
rate. If you want to block ALL responses above the limit, then set
"rrl-slip" to 0, but this is probably not a good idea.

Finally, I'd like remind you again, that RRL is about limiting identical
RESPONSES. So if your server gets 10 different queries, but the response
to all of them is the same (eg. NXDOMAIN, or a referral), then these
responses are rate-limited.

If you get getting lots of different queries from lots of different
sources, which results in lots of different responses, then RRL won't
work as effectively.

Regards,

Anand Buddhdev
RIPE NCC

https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/
<https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/>

> On Dec 3, 2015, at 5:58 PM, Bas van den Dikkenberg <bas at
Dikkenberg.net> wrote:
> 
> Hi all,
> 
> We have a big  problem  all 3 of our dns servers are under Amplification
attack
> As soon as we start nsd we send out 50 mbit to the internet.
> Any ideas how can stop this .
> 
> 
> We run NSD version 4.1.2 (most recent in ondrej nlnetlabs ppa)
> 
> My nsd.conf can be found here: http://pastebin.com/kAHcRiVf
<http://pastebin.com/kAHcRiVf>
> 
> suggestions are greatly appreciated
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl <mailto:nsd-users at nlnetlabs.nl>
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
<http://open.nlnetlabs.nl/mailman/listinfo/nsd-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20151203/946bf72d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20151203/946bf72d/attachment.bin>

On Thu, 3 Dec 2015, Bas van den Dikkenberg wrote:
> We have a big ?problem ?all 3 of our dns servers are under Amplification
attack
> 
> As soon as we start nsd we send out 50 mbit to the internet.
> 
> Any ideas how can stop this .
I see you already tried rrl-ratelimit. You can do iptables based packet
dropping too, although that might cause service interuptions to real
clients as well.

eg:

iptables -I INPUT -d 188.127.201.225/32 -p udp -m udp --dport 53 -m hashlimit \
--hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-mode srcip \
--hashlimit-name dnsany -m string --hex-string "|0000ff0001|" --algo
bm \
--from 50 --to 65535 -j ACCEPT

This would allow 1 ANY query per minute after initial burst of five.

If your queries are not for ANY, you might have to tweak things a
little.

Paul