[Pdns-users] DNS amplification attack advice

kalpesh thaker kalpesh at webdevworld.com
Tue May 29 14:32:23 UTC 2012 

Dear PDNS list,

i need some advice on an issue that we've been experiencing on our 
public DNS servers the last days.
we have been, and still are currently the victims of a terrible DNS DOS 
amplification attack.

im not sure how many others out there are experiencing this issue, but 
im hoping that someone out there
may have useful PDNS tips that can be used as a counter-measure. (i've 
attached a few lines below from the log files,
to give you an idea of what is going on). i am currently using PDNS AS 
2.9.21.2-1 on debian 5 x86.

May 28 15:01:13 ns1 pdns[9603]: Not authoritative for 'filezilla.de 
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:18 ns1 pdns[9603]: Not authoritative for 'filezilla.de 
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:18 ns1 pdns[9603]: Not authoritative for 'filezilla.de 
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:18 ns1 pdns[9603]: Not authoritative for 'blogylana.com 
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:19 ns1 pdns[9603]: Not authoritative for 'blogylana.com 
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:20 ns1 pdns[9603]: Not authoritative for 'blogylana.com 
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:23 ns1 pdns[9603]: Not authoritative for 'filezilla.de 
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:25 ns1 pdns[9603]: Not authoritative for 'filezilla.de 
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:25 ns1 pdns[9603]: Not authoritative for 'blogylana.com 
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:26 ns1 pdns[9603]: Not authoritative for 'filezilla.de 
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:28 ns1 pdns[9603]: Not authoritative for 'filezilla.de 
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:30 ns1 pdns[9603]: Not authoritative for 'blogylana.com 
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:33 ns1 pdns[9603]: Not authoritative for 'blogylana.com 
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:33 ns1 pdns[9603]: Not authoritative for 'filezilla.de 
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:34 ns1 pdns[9603]: Not authoritative for 'blogylana.com 
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:38 ns1 pdns[9603]: Not authoritative for 'blogylana.com 
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:39 ns1 pdns[9603]: Not authoritative for 'filezilla.de 
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:41 ns1 pdns[9603]: Not authoritative for 'filezilla.de 
<http://filezilla.de>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:41 ns1 pdns[9603]: Not authoritative for 'blogylana.com 
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion 
was desired)
May 28 15:01:43 ns1 pdns[9603]: Not authoritative for 'blogylana.com 
<http://blogylana.com>', sending servfail to 184.22.170.194 (recursion 
was desired)

our DNS server is setup as an authoritative server for the zones we host 
(via bind backend)...and i can confirm that all recursion has
been disabled on this authoritative server.

so far i have done the following:

- cache-ttl is set to 0
- distributor-threads set to 1
- max-tcp-connections set to 60
- negquery-cache-ttl set to 0
- setup IPtables with a chain to reject udp/tcp connections to port 53 
if they create more than 7 connections per second

(most of the cache settings were disabled anyway, as it messes with a 
highly modified geo backend that i use)

the firewall has helped alot... and our ourstream ISP has started 
throttling traffic to our nameservers.. which has also helped
at the cost of some dropped legit requests.

apon discussion with one of the ISP's which we sent an abuse report for 
one of their IP's, they seem to think they these IP address
have all been spoofed for this amplification attack.

any advice/criticism/tips would be appreciated

thanks

kalpesh



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120529/2e872a30/attachment.html>

More information about the Pdns-users mailing list