[Pdns-users] [Pdns-announce] Related to recent DoS attacks: Recursor configuration file guidance

AleŇ° Rygl ales at rygl.net
Mon Feb 10 07:44:20 UTC 2014


Hi everybody. 

I have some more findings from today's morning. The
attack are continuing. The root cause is a open resolver mostly on
crappy DSL modem. When you are ISP this can be fixed by replacing the
modems only. Imagine that you have 2.000 such modems in your network...
You can cut the ips off of course. Problem is that the owner of the
modem might have no idea he is an attacker. 

Today morning I have hit
the limit of 32768 filedescriptors and the server was receiving just 1/3
of all queries - it is parf of the farm behing a balancer. About 3.300
qps incoming was amplified to ~ 60.000 qps leaving the server! The other
two servers are running unboud. For some reason unbound is not suffering
from this type od DDoS. It is using so called "jostle-timeout"

It would be
nice if powerdns implements similar smart mechanism which can can face



On Sun, 9 Feb 2014 17:33:05 +0200, Vlad wrote:

> I have the similar problem... Several thousand requests from two
> /20 networks..., from our clients, about 50IP's.
> The list of
domains (with auto-generated subdomains): betboy.cc,
> 365ddos.cn,
dytt8.net, pddos.com, sheshows.com, cp375.com, sdjlh.com,
> asxkmy.com,
ytwtoys.com, jimdo.com, ftes.info, gx911.com... At this
> moment :-)
> I
also filter them using iptables ... Other options I do not see.
> Pdns-users mailing
> Pdns-users at mailman.powerdns.com [1]
http://mailman.powerdns.com/mailman/listinfo/pdns-users [2]


[1] mailto:Pdns-users at mailman.powerdns.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140210/026150e4/attachment-0001.html>

More information about the Pdns-users mailing list