[dnsdist] Suggestions for rules to block abusive traffic
Jeffrey Cronstrom
jeff.cronstrom at cloudfloordns.com
Fri Dec 29 21:38:36 UTC 2023
Hi Dan,
We see these types of attacks on a regular basis anywhere from 5 minute
bursts to days at a time and have been seeing them for quite some time. We
do not have anything that dynamically handles any of this yet but rather
update the dnsdist configs on an as needed basis. We simply add a domain
name to a list and run a given Salt State (we use SaltStack for config
management) across the DNS network and this mitigates quickly against the
domain name and helps with any backend impact.
addAction("example.com.", QPSAction(50))
On the automated front, we've started to develop a program to run against
the dnsdist API so we can evaluate the current QPS and upon a
certain deviation of that metric we can look at a domain name that may be
getting impacted by a flood of queries and automatically apply a temporary
rule. This command would be run remotely against all dnsdist instances.
This is only conceptual and not in use but is the start of an outline for a
program to help with this type of activity.
disthost = "http://%s:8083/jsonstat?command=stats" % (IPv4)
https://dnsdist.org/guides/webserver.html
>From this lookup we can establish the deviation of QPS and a rule can be
applied locally via the dnsdist API and also removed after any offending
traffic has subsided. The rule would also be dropped upon a restart because
it wouldn't be part of the startup configuration of dnsdist.
Some local instance calls for evaluation.
/usr/bin/dnsdist -e 'topQueries(10,2)' - example.com
/usr/bin/dnsdist -e 'topQueries(10,3)' - example.co.uk
/usr/bin/dnsdist -e 'showRules()'
/usr/bin/dnsdist -e 'addAction("example.com.", QPSAction(50))'
/usr/bin/dnsdist -e 'mvRuleToTop()'
One thing to note is the domain getting hit will be affected by limiting
their QPS but it will help the backend from further impact.
This may not be exactly what you are looking for but may help and someone
else on this list might have better suggestions however I thought I would
share.
Best Regards,
Jeff
On Fri, Dec 29, 2023, 14:11 Dan McCombs via dnsdist <
dnsdist at mailman.powerdns.com> wrote:
> Hi all,
>
> I'm wondering if anyone has suggestions of reasonable ways to handle this
> type of abusive traffic with dnsdist.
>
> We've had on and off attacks recently targeting legitimate domains
> delegated to our authoritative service flooding queries for random
> subdomains of varying length and characters/words. i.e. 12345.example.com,
> fred.example.com, abc178371jd.example.com, where example.com is a
> different domain we're authoritative for each attack.
>
> The dnsdist nodes can handle the traffic, but breaking cache and going
> through to our backends is having more of an impact.
>
> We have thousands of domains, so it doesn't seem reasonable to apply
> individual rate limits to them all, but if there is a straight forward way
> to do something like that I'd be happy to hear it. The source addresses are
> well known public resolvers that we shouldn't rate limit either.
>
> I'm wondering if there's any way to detect and apply a rule dynamically to
> respond to queries for one of these domains without affecting the source IP
> address entirely, and not require us to manually add a rule for each domain
> as it occurs.
>
> Any ideas would be appreciated.
>
> Take care,
>
> -Dan
>
>
> Dan McCombs
> Senior Engineer I - DNS
> dmccombs at digitalocean.com
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231229/392ddd2d/attachment.htm>
More information about the dnsdist
mailing list