[CentOS] DNS DoS attack

Fri Aug 17 11:37:26 UTC 2012
Jussi Hirvi <listmember at greenspot.fi>

On 17.8.2012 8.18, John R Pierce wrote:
> meh, if its coming from lots of random hosts, then fail2ban style
> techniques won't work.  I assume this is an authoritative name server?
> does it have recursive queries disabled so it can only return results
> for the domain(s) its authoritative for ?

Yes, it is authoritative. Recursive queries were open very widely. That 
may be why I started to get plenty of requests. But I think that 240 per 
second is not normal anymore, it must me malicious.

I believe my name server was used as a mediator only, and the real 
target (through recursive queries) was some other public nameserver.

This morning I restricted recursive queries to trusted networks only. 
The load dropped slowly to 20 % of what it was before.

- Jussi