[CentOS] DNS DoS attack

Fri Aug 17 12:04:21 UTC 2012
John Doe <jdmls at yahoo.com>

From: Jussi Hirvi <listmember at greenspot.fi>

> On 17.8.2012 8.18, John R Pierce wrote:
>>  meh, if its coming from lots of random hosts, then fail2ban style
>>  techniques won't work.  I assume this is an authoritative name server?
>>  does it have recursive queries disabled so it can only return results
>>  for the domain(s) its authoritative for ?
> 
> Yes, it is authoritative. Recursive queries were open very widely. That 
> may be why I started to get plenty of requests. But I think that 240 per 
> second is not normal anymore, it must me malicious.
> 
> I believe my name server was used as a mediator only, and the real 
> target (through recursive queries) was some other public nameserver.
> 
> This morning I restricted recursive queries to trusted networks only. 
> The load dropped slowly to 20 % of what it was before.

Maybe it is this:
http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon/

JD