Re: Survive from DDoS

Kalpin Erlangga Silaen wrote:
yesterday, our shell server was attack and server immeditiately reboot.
I checked logs, it likes UDP flood with destination port 53. Is there
any way how to survive from this kind attack?

(i)
Do a "grep 53 /etc/services" and search for ports 53 on both tcp and udp.
Use tcpdump to examine the traffic to see if you can find out what is
making the requests.

(ii)
You could set up a caching-only name server. By default, the queries
would be performed through a random port, and any previous queries would
reference the cache, rather than rely on the remote DNS.

(iii)
I found this on the net:

You could tie your address resolution to a group.

Say, for instance, you create a group called "resolve", and add yourself
to it and root (for ports):

# pw groupadd resolve -M root,you

Then, just add something like this to IPFW rule set, replacing the
example DNS addresses with your actual addresses:

DNS1="1.2.3.4"
DNS2="5.6.7.8"

add pass udp from any 53 to { DNS1 or DNS2 } 53 out gid resolve keep-state

That would have the effect of blocking anything outward-bound from port
53, except that of address queries by you and root.

If you're running a caching-only NS, set-up "bind" as a member of the
group, and your firewall line w/o the port 53 specification:

# pw groupadd resolve -M bind

add pass udp from any 53 to { $DNS1 or $DNS2 } 53 out gid resolve keep-state
add pass udp from any to { $DNS1 or $DNS2 } 53 out gid resolve keep-state

That will block everyone but bind from querying the remote DNS server.

-- cut --

I hope this helps...
Jos

-- My other computer is a *BBC Model B+
*
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • RE: TCP DNS requests
    ... Note that you can sometimes have tcp/53 connections for queries. ... tcp 53 53 Queries with long replies between servers, ... DNS server uses port 53 both as the source and destination for it's ... port number to UDP port 53. ...
    (Security-Basics)
  • Re: Bind as cache DNS and firewall
    ... As it's UDP I think of UDP queries going from my cache server to other DNS server, and I catch their UDP responses in the firewall. ... So I should open my firewall for UDP on port 53 for all the world? ...
    (comp.protocols.dns.bind)
  • Re: Deny MX queries for dynamic IP pools
    ... As a solution the routing team was thinking to block port 25 for outgoing as ... Luckily we have two set of DNS server farms; one that is serving static IP ... DNS port forwarded queries are going to external servers. ...
    (comp.protocols.dns.bind)
  • Re: Deny MX queries for dynamic IP pools
    ... In what way is blocking Port 25 any worse than blocking MX/root queries ... that spam is not a technical ... As a solution the routing team was thinking to block port 25 for outgoing ... Luckily we have two set of DNS server farms; one that is serving static IP ...
    (comp.protocols.dns.bind)
  • Re: Portscan from DNS server?
    ... You need to allow TCP/UDP traffic from port 53 ... >> through your firewall for DNS queries to work properly. ... >malfunction (DNS lookup failure) during the hours when ZoneAlarm ...
    (comp.security.firewalls)