Howto mitigate a DNS DDOS attack using fail2ban

  • Hello,


    I had a DNS DDoS attack, I write them to take action on this issue, the solution was taken from the url
    "https://debian-administration.org/article/623/Blocking_a_DNS_DDOS_using_the_fail2ban_package".


    Symptom:

    Code
    1. October 3 8:05:46 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:05:46 ns1 named [1708]: error (RCODE REFUSED unexpected) resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:05:46 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:05:48 ns1 named [1708]: error (RCODE REFUSED unexpected) resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:05:58 ns1 named [1708]: lame server resolving '238.13.130.221.in-addr.arpa' (in '13 .130.221.in-addr.arpa '?):211.103.13.101 # 53October 3 8:05:59 ns1 named [1708]: lame server resolving'238.13.130.221.in-addr.arpa' (in '13 .130.221.in-addr.arpa '?):211.138.200.69 # 53October 3 8:06:21 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:06:22 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:06:24 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:06:24 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:39 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '58 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:08:40 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '58 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:40 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '58 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:08:41 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '52 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:08:41 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '52 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:41 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '58 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:42 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '52 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:08:42 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '52 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:46 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:08:46 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:47 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53


    Will have a permission error with the file created for named, then change the file path in /tmp/security.log:


    Code
    1. logging { security_file channel { file "/tmp/security.log" versions 3 size 30m; severity dynamic; print-time yes; }; category security { security_file; };};


    Lock successful:


    Code
    1. 03-Oct-2016 13: 11: 11,467 client 74125190136 # 34346: query (cache) 'gobiernodenicaragua.gob.ni/A/IN' denied
    2. 03-Oct-2016 13: 11: 11,738 client 74.125.190.12 # 41948: query (cache) 'gobiernodenicaragua.gob.ni/A/IN' denied
    3. 03-Oct-2016 13: 11: 12,007 client 74125190133 # 53942: query (cache) 'gobiernodenicaragua.gob.ni/A/IN' denied
    4. 03-Oct-2016 13: 59: 12,298 client 198.48.92.104 # 54629: query (cache) 'satellite.cs.washington.edu/A/IN' denied
    5. 03-Oct-2016 14: 05: 50,064 client 164.132.96.66 # 57657: query (cache) 'cpsc.gov/A/IN' denied
    6. 03-Oct-2016 15: 05: 16,005 client 66.35.59.249 # 63937: query (cache) './NS/IN' denied
    7. 03-Oct-2016 15: 35: 37,197 client 95.215.60.214 # 55397: query (cache) 'defcongroups.org/ANY/IN' denied
    8. 03-Oct-2016 15: 39: 13,839 client 183.56.172.145 # 20000: query (cache) '776233637.www.baidu.com/A/IN' denied


    I hope will be of help. Sorry for my English.


    :)

  • @Mario


    I've moved you thread and I've added BBCode where this was needed.


    Thank you for your contribution.


    Thread closed to avoid any polluting.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206