[Pdns-users] PDNS Authoritative Server DDOS Protection

Remi Gacogne remi.gacogne at powerdns.com
Mon Jul 30 06:51:44 UTC 2018


Hi Hamed,

On 07/21/2018 08:08 AM, Hamed Haghshenas wrote:
> For attacks build by Mausezahn with small Src Address subnet, worked
> fine and blocked every /32 subnet that reach the query rate . but
> when use big SRC subnet like /20 it can't manage the queries and CPU
> rate increase .

What is the size of your in-memory ring buffers? The dynamic blocks code
uses them to look at recent queries and responses, and to apply the rate
limits.
If you have a very high number of queries per second, you might need to
increase the size of the buffers (see [1]) so we are scanning at least a
few seconds of traffic.
But more importantly, if you have more than one receiver thread (created
with addLocal()) or backend thread (created with newServer()) you'll
want to take advantage of the sharding of the buffers introduced in
1.3.0 to limit lock contention.

I have had good results with the following setRingBuffersSize():

setRingBuffersSize(1000000, 500)

It increases the size of the buffers to 1M entries instead of the 10k
default, which might be a bit too much depending on your usage, and
split them into 500 shards so a thread is much less likely to be waiting
for another one to finish using the buffers.

> could you please let me know is there any way to force Dyn blocked
> function check /24 subnet instead of /32 and, for every /24 SRC
> subnet, if query rate exceed then block /24 subnet . for example for
> 10.10.10.0/24, if query rate exist 10 for 10s then block
> 10.10.10.0/24.

I'm afraid there is currently no way to do that with dnsdist. Please
feel free to open a new feature request at [2] so we remember to look
into it.

[1]: https://dnsdist.org/reference/config.html#setRingBuffersSize
[2]: https://github.com/PowerDNS/pdns/issues/new

Best regards,

Remi

> -----Original Message----- From: Pdns-users
> [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of bert
> hubert Sent: Tuesday, July 17, 2018 3:49 PM To:
> pdns-users at mailman.powerdns.com Subject: Re: [Pdns-users] PDNS
> Authoritative Server DDOS Protection
> 
> On Tue, Jul 17, 2018 at 03:24:22PM +0430, Hamed Haghshenas wrote:
>> Could you please let me know how handle these large DDOS attacks?
> 
> Hi Hamed,
> 
> Please take a look at
> https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup
> 
> This is specifically meant for the case of many different IP
> addresses attacking you.
> 
> Good luck!
> 
> _______________________________________________ Pdns-users mailing
> list Pdns-users at mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
> 
> _______________________________________________ Pdns-users mailing
> list Pdns-users at mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 


-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180730/3165363b/attachment.sig>


More information about the Pdns-users mailing list