[GTALUG] fail2ban problem
Anthony de Boer
adb at adb.ca
Sat Sep 1 11:10:36 EDT 2018
Michael Galea via talk wrote:
> I am experiencing what I believe is a DNS amplification attack on my
> bind9 DNS server.
>
> I'm seeing very of the following on different IPs
> 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+
> [1au] ANY? USADF.GOV. (38)
>
> My server responds
> 20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679
> Refused- 0/0/1 (38)
>
> I imagine the IPs are spoofed.
I agree with the diagnosis, but IMHO it might be better to configure your
nameserver not to respond at all to such queries, especially as anything
you emit at all is likely going to a victim of an attack.
Internet-exposed DNS servers should really only respond to queries in
domains for which they're authoritive. Recursive servers should be kept
private enough to respond only to their local users.
Disclaimer: it's been years since I ran nameservers for a midsized ISP
and had to be on top of all this.
--
Anthony de Boer
More information about the talk
mailing list