I am sorry if this has come up before, but it seems that one of our name
servers is under some sort of dDos attack. It seems to be receiving
millions of queries form spoofed IPs, and it is spending all of it's
time sending back icmp unreachables.
It is running bind 4.31 under BSD 4.62STABLE
Help!
Thanks,
Dan.
Sorry, I lied. We are running 8.34Release
What I cannot figure out is why *our* name server is sending out ICMP
unreachables. The incoming dns queries are coming from random
destinations....
I have blocked icmp 3 incoming from that DMZ as not to overwhelm the CEF in
any other routers, but whoever is doing this has this name server at it's
knees.
Dan.
Eric Whitehill wrote:
Personally I'd blackhole the traffic at the entry point and work on finding the
origin.
Assuming its only one of your name servers you can run with one dead...
Dan,
Might I suggest a few things.
1) If you truly want the nanog community to help, perhaps
you wish to post the Ip being attacked as well as a series of
sources, including the names of your upstreams involved as
their security teams haven't helped you and that's the reason
for the post.
2) You probally want to install an icmp rate-limit to
help mitigate this attack. By saying CEF, I assume you
are using a Cisco router. Here's a quick example:
interface <foo>
rate-limit input access-group 2000 1536000 200000 200000 conform-action transm
it exceed-action drop
access-list 2000 permit icmp any any
That should drop the icmp down to around a T1s worth.
- Jared
Are you sure the inbound attack packets are really valid queries, or are
they responses? I ask because in the classic DDoS-via-nameservers attack,
the victim will receive answers from a slew of other nameservers and send
out ICMP unreachables. See
http://www.cert.org/incident_notes/IN-2000-04.html
Kevin