hello,
starting 3 days ago - ubuntu dns servers started freeze (1000 load) , reboot option.
checked out tcpdump logs:
code:01:02:13.553220 ip 211.161.46.84.27865 > 89.44.246.252.53: 61138 [1au] a? gshk.happy-host.com. (48) 01:02:13.553560 ip 202.98.224.69.6320 > 89.44.246.252.53: 45460% [1au] a? gshk.happy-host.com. (48) 01:02:13.557933 ip 211.161.46.85.15380 > 89.44.246.252.53: 18703 [1au] a? gshk.happy-host.com. (48) 01:02:13.558559 ip 219.146.2.35.26857 > 89.44.246.253.53: 63421 a? gshk.happy-host.com. (37) 01:02:13.558576 ip 61.153.177.179.56471 > 89.44.246.252.53: 17683% [1au] a? gshk.happy-host.com. (48) 01:02:13.558598 ip 61.31.233.5.57829 > 89.44.246.253.53: 45036 [1au] a? gshk.happy-host.com. (48) 01:02:13.559712 ip 61.220.8.35.33504 > 89.44.246.253.53: 1030 [1au] a? gshk.happy-host.com. (48)
10kpps same query, spoofed ips.
queries put dns servers down, load @ 1000 - , said - rebooting option.
in config files, recursion not allowed. dns servers answers domains hosted.
bind updated @ lastest version.
clues ? how can stop further attacks ? i've checked issue , start flooding myself - spoofed ips -- servers got 400 load in approximately 3 minutes.
thank !
put in iptables rule local port 53 limiting rate.
Forum The Ubuntu Forum Community Ubuntu Specialised Support Security [ubuntu] DNS udp floods (overflow ?) - how to protect ?
Ubuntu
Comments
Post a Comment