[Pdns-users] PDNS Authoritative Server DDOS Protection

Hamed Haghshenas haghshenas at chavoosh.com
Tue Jul 17 10:54:22 UTC 2018 

Dear bert,

Hi, and thanks for your solution,

I configure the dnsdist like below :

setLocal("172.16.1.98:53", {reuseport=true})
addLocal('127.0.0.1:53')
newServer("127.0.0.1:5300")
newServer("172.16.1.106:5300")
setACL({'0.0.0.0/0'})
addAction(MaxQPSIPRule(2, 24, 48), DropAction())
carbonServer("172.16.1.166", "web45-dnsdist")
controlSocket('127.0.0.1:5199')
setConsoleACL('127.0.0.0/24')
setKey("6mJMt0+Bh7nmtCd0hzxvA5UtsywEpfTq8V4uvWYequc=")
webserver("172.16.1.98:8083", "Chav00sh", "6mJMt0+Bh7")

I use Mausezahn to simulate DOS and DDOS attack. when check the webserver
and my metronome, in DOS attack do best and CPU is in low rate but when make
DDOS attack with random SRC IP Addresses the CPU increase to 90%, many
queries drops, and the match rule is not effective .

Could you please let me know how handle these large DDOS attacks?
use the EBPF kernel can manage DDOS?

Noted I use this command to make DDOS attacks .

mz eno16777728 -A rand -B 172.16.1.98 -t dns "q=geo.web45.ir" -c 0 -d 1 -4

BR,
Hamed Haghshenas

-----Original Message-----
From: bert hubert [mailto:bert.hubert at powerdns.com] 
Sent: Saturday, July 7, 2018 4:39 PM
To: Hamed Haghshenas <haghshenas at chavoosh.com>
Cc: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] PDNS Authoritative Server DDOS Protection

On Sat, Jul 07, 2018 at 03:49:16PM +0430, Hamed Haghshenas wrote:
> I'm using PDNS Authoritative Server 4.1.3, today I see my server not 
> response and error or timeout on resolves .

Hi Hamed,

What you can best do is install dnsdist and put it in front of your
authoritative servers.

Try this dnsdist.conf, assuming your auth server will listen on 127.0.0.1
and your current auth server IP is 1.2.3.4:

newServer("127.0.0.1")
setLocal("1.2.3.4")
addAction(MaxQPSIPRule(10), DropAction())

This restricts each individual IP address to 10 queries per second. I also
recommend you setup the internal webserver which will give you a good feel
for what is going on, https://dnsdist.org/guides/webserver.html

If you don't want to drop, you can also shift traffic to TCP which stops
most attacks:

addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())

If this is not enough, you could use the EBPF kernel based limits as
described in https://dnsdist.org/advanced/ebpf.html

This allows you to filter like 20gbit/s of unwanted traffic if need be, but
it does require a recent kernel.

Good luck!

> 
> When check the server see to many DNS requests from some IPs from 
> Brazil like DDOS attack. To fix errors and timeouts, I block the 
> attacker subnet in my firewall .
> 
>  
> 
> Now could you please let me know how protect my server from DOS and 
> DDOS attacks ?
> 
>  
> 
> Best Regards,
> 
>  
> 
> Hamed Haghshenas
> 
>  
> 
>  
> 

> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list