[Pdns-users] [Pdns-announce] Related to recent DoS attacks: Recursor configuration file guidance

[Aleš Rygl]

Hi everybody. 

I have some more findings from today's morning. The
attack are continuing. The root cause is a open resolver mostly on
crappy DSL modem. When you are ISP this can be fixed by replacing the
modems only. Imagine that you have 2.000 such modems in your network...
You can cut the ips off of course. Problem is that the owner of the
modem might have no idea he is an attacker. 

Today morning I have hit
the limit of 32768 filedescriptors and the server was receiving just 1/3
of all queries - it is parf of the farm behing a balancer. About 3.300
qps incoming was amplified to ~ 60.000 qps leaving the server! The other
two servers are running unboud. For some reason unbound is not suffering
from this type od DDoS. It is using so called "jostle-timeout"
http://www.unbound.net/documentation/unbound.conf.html. 

It would be
nice if powerdns implements similar smart mechanism which can can face
this. 

Regards 

Ales 

On Sun, 9 Feb 2014 17:33:05 +0200, Vlad wrote:


> I have the similar problem... Several thousand requests from two
ours
> /20 networks..., from our clients, about 50IP's.
> The list of
domains (with auto-generated subdomains): betboy.cc,
> 365ddos.cn,
dytt8.net, pddos.com, sheshows.com, cp375.com, sdjlh.com,
> asxkmy.com,
ytwtoys.com, jimdo.com, ftes.info, gx911.com... At this
> moment :-)
> I
also filter them using iptables ... Other options I do not see.
> 
>
_______________________________________________
> Pdns-users mailing
list
> Pdns-users at mailman.powerdns.com [1]
>
http://mailman.powerdns.com/mailman/listinfo/pdns-users [2]

 


Links:
------
[1] mailto:Pdns-users at mailman.powerdns.com
[2]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140210/026150e4/attachment-0001.html>