[ale] Fwd: Under Attack, my dns servers
Chuck Payne
terrorpup at gmail.com
Mon Oct 6 16:13:59 EDT 2014
Here is my file, the ip have been change to protect the wicked
root at inferno:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
rate-limit {
responses-per-second 15;
window 5;
};
forwarders {
208.67.222.222;
208.67.220.220;
};
auth-nxdomain no; # conform to RFC1035
l isten-on-v6 { none; };
allow-query {
208.67.222.222;
208.67.220.220;
75.75.75.75;
75.76.75.76;
8.8.8.8;
71.1.2.11;
127.0.0.1/8;
50.1.59.24/28;
192.168.0.0/24;
209.120.10.128/25;
};
recursive-clients 15;
additional-from-cache no;
allow-recursion {
208.67.222.222;
208.67.220.220;
75.75.75.75;
75.76.75.76;
8.8.8.8;
71.1.2.11;
127.0.0.1/8;
50.1.59.24/28;
192.168.0.0/24;
209.120.10.128/25;
};
allow-recursion-on {
208.67.222.222;
208.67.220.220;
75.75.75.75;
75.76.75.76;
8.8.8.8;
71.1.2.11;
127.0.0.1/8;
50.1.59.24/28;
192.168.0.0/24;
209.120.10.128/25;
};
blackhole {
botnet_pukes;
};
//multiple-cname yes;
};
On Mon, Oct 6, 2014 at 3:59 PM, Horkan Smith <ale at horkan.net> wrote:
>
> I've also seen a setup where both internal and external DNS servers are
running on the same machine, but I'd have to dig out the config options
they used.
>
> later!
> horkan
>
> On Mon, Oct 06, 2014 at 03:57:19PM -0400, Horkan Smith wrote:
> > Yup, that's a fair critique - it hasn't been an issue yet, but I really
should switch my setup around.
> >
> > I have a virtual machine running bind9 and postfix for a brain-damaged
internal printer - I should swap DHCP to point there and see what happens.
> >
> > later!
> > horkan
> >
> > On Mon, Oct 06, 2014 at 03:47:05PM -0400, Michael H. Warfield wrote:
> > > On Mon, 2014-10-06 at 15:13 -0400, Horkan Smith wrote:
> > > > Can you share the lines where you control access (including
recursion)? In my case, they look like:
> > > >
> > > > named.conf.options:
> > > > allow-transfer { home-nets; domain-backups; };
> > > > allow-recursion { home-nets; domain-backups; };
> > > > allow-query { home-nets; domain-backups; };
> > >
> > > It's worth noting that these do not prevent attackers from exploiting
> > > your own name servers to attack you internally. They just spoof the
> > > requests from your internal (even private) addresses to request huge
> > > blocks of response data which will then be cached in your servers and
> > > reflected back to hammer you. It's much better if you can block
access
> > > from the external net (either external interface or at your router) to
> > > your recursive cacher, which then blocks incoming spoofed packets from
> > > your internal addresses. Most firewalls can discriminate between
> > > recursive requests and terminal requests, so you'll still end up
needing
> > > a non-recursive DNS server for your authoritative zones.
> > >
> > > Regards,
> > > Mike
> > >
> > > > Where home-nets and domain-backups are defined as acls.
> > > >
> > > > later!
> > > > horkan
> > > >
> > > >
> > > > On Mon, Oct 06, 2014 at 12:03:39PM -0400, Chuck Payne wrote:
> > > > > Guys,
> > > > >
> > > > > I am under attack where my dns server is being used to do a ddos
attack. I
> > > > > believe it's a bot net, because the ip are too random. I don't
think the
> > > > > domain I am seeing in my bind log is real
> > > > >
> > > > > fkfkfkfz.guru
> > > > >
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query:
fkfkfkfz.guru IN
> > > > > ANY +E (50.192.59.225)
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)
> > > > > 'fkfkfkfz.guru/ANY/IN' denied
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED
response
> > > > > to 92.222.9.0/24
> > > > >
> > > > > I have turn on recursion, but now people can't find my domains
any more.
> > > > > I have also try to limit the rate as well
> > > > >
> > > > > rate-limit {
> > > > > responses-per-second 25;
> > > > > window 5;
> > > > > };
> > > > >
> > > > >
> > > > > I am running Debian and openSUSE.
> > > > >
> > > > > Anything I can do to stop them and make where people can find my
domains? I
> > > > > don't want to have to pay for something I can do and have control
over.
> > > > >
> > > > > --
> > > > > Terror PUP a.k.a
> > > > > Chuck "PUP" Payne
> > > > >
> > > > > 678 636 9678
> > > > > -----------------------------------------
> > > > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > > > -----------------------------------------
> > > > > openSUSE -- Terrorpup
> > > > > openSUSE Ambassador/openSUSE Member
> > > > > skype,twiiter,identica,friendfeed -- terrorpup
> > > > > freenode(irc) --terrorpup/lupinstein
> > > > > Register Linux Userid: 155363
> > > > >
> > > > > Have you tried SUSE Studio? Need to create a Live CD, an app you
want to
> > > > > package and distribute , or create your own linux distro. Give
SUSE Studio
> > > > > a try.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Terror PUP a.k.a
> > > > > Chuck "PUP" Payne
> > > > >
> > > > > 678 636 9678
> > > > > -----------------------------------------
> > > > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > > > -----------------------------------------
> > > > > openSUSE -- Terrorpup
> > > > > openSUSE Ambassador/openSUSE Member
> > > > > skype,twiiter,identica,friendfeed -- terrorpup
> > > > > freenode(irc) --terrorpup/lupinstein
> > > > > Register Linux Userid: 155363
> > > > >
> > > > > Have you tried SUSE Studio? Need to create a Live CD, an app you
want to
> > > > > package and distribute , or create your own linux distro. Give
SUSE Studio
> > > > > a try.
> > > >
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://mail.ale.org/mailman/listinfo/ale
> > > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > > http://mail.ale.org/mailman/listinfo
> > > >
> > > >
> > >
> > > --
> > > Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> > > /\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
> > > NIC whois: MHW9 | An optimist believes we live in the
best of all
> > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure
of it!
> > >
> >
> >
> >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> >
> >
> > --
> > Horkan Smith
> > 678-777-3263 cell, ale at horkan.net
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
> --
> Horkan Smith
> 678-777-3263 cell, ale at horkan.net
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
--
Terror PUP a.k.a
Chuck "PUP" Payne
678 636 9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- Terrorpup
openSUSE Ambassador/openSUSE Member
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363
Have you tried SUSE Studio? Need to create a Live CD, an app you want to
package and distribute , or create your own linux distro. Give SUSE Studio
a try.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20141006/9cfcf57b/attachment.html>
More information about the Ale
mailing list