Re: Stopping ddos

KEVIN DARCY via bind-users Tue, 02 Aug 2022 14:47:41 -0700

I've never actually used RRL, but from the manual, it appears to default to a 
/24 prefix length to determine whether IPv4 clients are "similar" enough to be 
lumped in the same bucket, for RRL purposes. That might need to be tweaked, 
depending on the profile of whoever is attacking/abusing you. The option is 
ipv4-prefix-length. IPv6 has a similar option, defaulting to /56.


From your partial log extract, it looks like you're getting hit from different 
parts of the 114.29.192.0/19 netblock (which, according to APNIC, appears to 
belong to WebEx/Cisco). That's why I suggested you might want to tweak those 
settings.

From the ARM, it looks like there are other configuration parameters too -- 
responses-per-second, nodata-per-second, nxdomains-per-second, 
referrals-per-second -- presumably all intended to provide fine-grained 
protection with minimal false positives.

I would recommend a thorough reading of the ARM, and perhaps consultation with 
DNS admins who have practical experience with RRL. Hopefully there are some on 
this list.

If you have a robust IPS in place, it should be possible, with the appropriate 
signature/rule, to drop all incoming root-domain queries. That's a pretty 
drastic solution, though, and there could be fallout.

                                            - Kevin
________________________________
From: bind-users <[email protected]> on behalf of Richard T.A. 
Neal <[email protected]>
Sent: Tuesday, August 2, 2022 5:20 PM
To: [email protected] <[email protected]>; [email protected] 
<[email protected]>
Subject: RE: Stopping ddos

>> Any best practices on this?
>>
>> I am running bind 9.11.4
>>
>> thanks

> You could think about adding fail2ban to your server with some custom rules.
> Helped us in a similar situation.

You could also take advantage of BIND's built-in Response Rate Limiting which 
is explained here:
https://downloads.isc.org/isc/bind9/9.16.31/doc/arm/html/reference.html#response-rate-limiting

I  don't recall if BIND 9.11 supports that feature, but even if it does you 
should really be upgrading to 9.16.31 anyway (the latest Current-Stable, ESV).

Best,
Richard.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stopping ddos

Reply via email to