[metalruler]

I've been seeing a lot of reflector attacks in the past couple of weeks, where the attacker sends a relatively small query for a valid domain that will return a large reply. The trick is that they spoof the source IP, so the DNS reply goes to the victim.

I ended up hacking something together to firewall any IPs which sent more than 1000 requests in a short period of time.

[gabriel-samfia]

We've seen the same kind of attack. We ended up limiting our DNS resolvers only to our own prefixes. It's a simple ACL in bind that allows recursion (domains your DNS server is not authoritative for), only to our subnets.

[dedene]

Do you mind sharing the script / code to accomplish that? (some gist somewhere) I'm seeing a lot of these sort of things on our servers too..

[metalruler]

It really is a disgusting hack, and specific to FreeBSD. It does need to be a bit more sophisticated than "block an IP if it floods me" because as it is now someone can simply spoof the IP of an ISP's DNS server and effectively firewall them, blocking their users from being able to resolve the domain names I'm hosting.

I can give you one tip to get you started: if you're running named, you can enable logging of every query, something like (hope this formats ok) :

  logging {
    channel query_logging {
         file "/var/log/named/querylog"
         versions 3 size 100M;
         print-time yes;                 // timestamp log entries
      };

      category queries {
          query_logging;
      };

};