[Unbound-users] Random subdomain flood query
Daniel Ryslink
daniel.ryslink at dialtelecom.cz
Wed Apr 1 08:29:34 UTC 2015
Hello,
I have just subscribed here, but we have been dealing with this problem
for about a year.
Here is our solution - a watchdog script that does "unbound-control
dump_requestlist" at regular interval to see how many concurrent
recursive queries are being worked upon.
If there is a flood, this will spike over a defined limit (depending on
normal traffic), and the following action is taken:
The flooding queries have typically the same structure -
<random_string>.<some_domain>, co that the server cannot use cache and
wastes resources on doing a recursive query.
When the number of concurrent queries spike, the script counts them by
domain, and those domains that exceed a defined share (usually over a
quarter) are temporarily blacklisted via "ubound-control local_zone
deny" (you can use "reject" too, or serve an authoritative NXDOMAIN
answer if you prefer). This solution takes advantage of the fact that
legitimate queries are most often quickly finished, and only the bogus
ones pile up and clog the server's memory.
This temporary blacklist is cleared once a day automatically. All
blacklisted zones are logged and I review them regularly, there is an
absolute minimum of false positives. The script also supports
whitelisting of zones you never ever want to blacklist.
I can share the script if anyone is interested.
--
Best regards,
Daniel Ryšlink
System Administrator
Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.ryslink at dialtelecom.cz
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------
On 03/31/2015 11:53 PM, Thomas wrote:
> Hi,
>
> We have the same problem.
>
> Attacks are random and with many source IPs (botnets). Therefore it is
> harder to have an automatic system to block source IPs. Our kind of
> "workaround" was to increase the request_list size from the default
> 1024 to a higher number and to enable jostle-timeout to something like
> 4sec. Therefore requests do not stay too long in the request_list once
> the box is under load. Manual iptables rules are not maintainable, we
> only manually block IPs for the biggest hitter. I agree what we are
> doing is _not_ a fix to the problem because we just allocated more
> resources to deal with the junk, but jostle-timeout definetely helps.
> I asked about it almost a year ago on this mailing-list.
>
> Subject: Unbound DDoS / reflexion attack counter-measure ?
> Date: 30/05/14 22:20
>
> > Any solution that can be shared ?
> By trying to find my previous post, I actually realised that I missed
> Daisuke's email.
>
> Subject: "a mitigation against random subdomain attack"
> Date: 24/03/15
>
> His solution: https://github.com/hdais/unbound-bloomfilter
>
> I will test it when I have a bit of time.
>
> Thomas
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
More information about the Unbound-users
mailing list