[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] How to prevent DoS attacks from non-spoofed IPs on DNS.
- Subject: [cobalt-users] How to prevent DoS attacks from non-spoofed IPs on DNS.
- From: "Al-Juhani" <aljuhani@xxxxxxxxx>
- Date: Fri Sep 26 10:21:01 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Hello List..
Last week Our RaQ4 was hit by large number of DNS Queries from several IPs
around the world.
The Domain that was mapped has our nameservers.
Here is some stats:
Number of DNS Queries were approx. more than 7,200 Per hour.
Bandwidth: reached 100 times more than the normal average.
Named was consuming more than 80% of the CPU Power.
CPU temp was between 50 to 60.
Load Average reached 20
Logging-in SSH takes 3-4 minutes as DNS times out.
Browsing website gives tcp ip error as DNS times out.
/var/log/messages logs filled with the DNS queries below but from different
IPs:
"denied recursion for query from [195.141.214.35].53 for domain.com IN"
Solution:
We have made a perl script that scan /var/log/messages, grap attacking IPs,
echo them into
another file, sort them to remove duplicates and then trigger an IPchains
blocking rule for each IP address. We were hoping to find the loop as the
IPs appeared to be generated by a script and after collecting around 12,000
IP addresses, the loop restarted from the begining.
Well, that solved it and really I never thought a RaQ4 will stand such
Denial of Service but luckily it survived.
My Question:
Is there any other way to protect Servers from such attacks.. I mean
something to do with BIND..
I know the spoofed IPs can be ignored but all attacking IPs were real
pingable IP addresses.
Thanks
Al-Juhani
aljuhani@xxxxxxxxx