[Unbound-users] Random subdomain flood query
tom at then.fr
Tue Mar 31 21:53:54 UTC 2015
We have the same problem.
Attacks are random and with many source IPs (botnets). Therefore it is
harder to have an automatic system to block source IPs. Our kind of
"workaround" was to increase the request_list size from the default 1024
to a higher number and to enable jostle-timeout to something like 4sec.
Therefore requests do not stay too long in the request_list once the box
is under load. Manual iptables rules are not maintainable, we only
manually block IPs for the biggest hitter. I agree what we are doing is
_not_ a fix to the problem because we just allocated more resources to
deal with the junk, but jostle-timeout definetely helps. I asked about
it almost a year ago on this mailing-list.
Subject: Unbound DDoS / reflexion attack counter-measure ?
Date: 30/05/14 22:20
> Any solution that can be shared ?
By trying to find my previous post, I actually realised that I missed
Subject: "a mitigation against random subdomain attack"
His solution: https://github.com/hdais/unbound-bloomfilter
I will test it when I have a bit of time.
More information about the Unbound-users