[Unbound-users] Unbound DDoS / reflexion attack counter-measure?

Rygl Aleš ales at rygl.net
Sat May 31 05:13:33 UTC 2014 

Hello all,

	we have exactly have the same issue. Being ISP with thousands of 
misconfigured clients with open resolvers in their DSL modems (which you even 
can not fix because if buggy firmware) you can not simply cut them off. We 
were using PowerDNS in the past and when these attack started we migrated 
completely to Unbound. 

Unbound is much more resistant to such attack nevertheless in order to get rid 
of it we are doing following using a script:

- query Unbound for running queries every minute using unbound-control 
dump_requestlist
- count queries for every 2nd or 3rd leveldomain 
- if there is more queries than threshold for a domain we compare the domain 
with alexa list http://www.alexa.com/topsites
- if there is a a match such entry is ignored
- if not such domain is under attack and we create local zone for sending 
REFUSE

We do it every minute. It is not perfect but after about 4 moths we had just 
about 2-3 false positives. We have 8 servers behind LVS and since then we have 
no problems any more.

Ales




On Saturday 31 of May 2014 03:58:05 Daisuke HIGASHI wrote:
> And increasing these params would mitigate this kind of attacks:
> 
> num-queries-per-thread
> outgoing-range
> so-rcvbuf
> so-sndbuf
> 
> "Howto Optimise" document will help.
> http://unbound.nlnetlabs.nl/documentation/howto_optimise.html
> 
> --
>  Daisuke HIGASHI
> 
> 2014-05-31 10:39 GMT+09:00 Daisuke HIGASHI <daisuke.higashi at gmail.com>:
> > Hi,
> >
> > A countermeasure would be just blackholing "sidear.cn".
> >
> > # queries for sidear.cn is just dropped and generates no answer.
> > local-zone: "sidear.cn" deny
> >
> >  - or -
> >
> > # queries for sidear.cn returns REFUSED
> > local-zone: "sidear.cn" refuse
> >
> > ------
> >
> > Next (current) terget is yahoo.com ?
> >
> > $ dig @a.dns.cn sidear.cn
> >
> > ;; QUESTION SECTION:
> > ;sidear.cn.            IN    A
> >
> > ;; AUTHORITY SECTION:
> > sidear.cn.        86400    IN    NS    ns2.yahoo.com.
> > sidear.cn.        86400    IN    NS    ns1.yahoo.com.
> >
> > --
> >  Daisuke HIGASHI
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20140531/ac440fba/attachment.htm>

More information about the Unbound-users mailing list