Stopping ddos

KEVIN DARCY kevin.darcy at stellantis.com
Tue Aug 2 21:46:36 UTC 2022 

I've never actually used RRL, but from the manual, it appears to default to a /24 prefix length to determine whether IPv4 clients are "similar" enough to be lumped in the same bucket, for RRL purposes. That might need to be tweaked, depending on the profile of whoever is attacking/abusing you. The option is ipv4-prefix-length. IPv6 has a similar option, defaulting to /56.

From your partial log extract, it looks like you're getting hit from different parts of the 114.29.192.0/19 netblock (which, according to APNIC, appears to belong to WebEx/Cisco). That's why I suggested you might want to tweak those settings.

From the ARM, it looks like there are other configuration parameters too -- responses-per-second, nodata-per-second, nxdomains-per-second, referrals-per-second -- presumably all intended to provide fine-grained protection with minimal false positives.

I would recommend a thorough reading of the ARM, and perhaps consultation with DNS admins who have practical experience with RRL. Hopefully there are some on this list.

If you have a robust IPS in place, it should be possible, with the appropriate signature/rule, to drop all​ incoming root-domain queries. That's a pretty drastic solution, though, and there could be fallout.

                                            - Kevin
________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Richard T.A. Neal <richard at richardneal.com>
Sent: Tuesday, August 2, 2022 5:20 PM
To: rgm at htt-consult.com <rgm at htt-consult.com>; bind-users at lists.isc.org <bind-users at lists.isc.org>
Subject: RE: Stopping ddos

>> Any best practices on this?
>>
>> I am running bind 9.11.4
>>
>> thanks

> You could think about adding fail2ban to your server with some custom rules.
> Helped us in a similar situation.

You could also take advantage of BIND's built-in Response Rate Limiting which is explained here:
https://downloads.isc.org/isc/bind9/9.16.31/doc/arm/html/reference.html#response-rate-limiting

I  don't recall if BIND 9.11 supports that feature, but even if it does you should really be upgrading to 9.16.31 anyway (the latest Current-Stable, ESV).

Best,
Richard.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220802/9432ed16/attachment-0001.htm>

More information about the bind-users mailing list