Maintained by: NLnet Labs

[Unbound-users] Random subdomain flood query

Daniel Ryslink
Wed Apr 1 10:29:34 CEST 2015


Hello,

I have just subscribed here, but we have been dealing with this problem 
for about a year.

Here is our solution - a watchdog script that does "unbound-control 
dump_requestlist" at regular interval to see how many concurrent 
recursive queries are being worked upon.

If there is a flood, this will spike over a defined limit (depending on 
normal traffic), and the following action is taken:

The flooding queries have typically the same structure - 
<random_string>.<some_domain>, co that the server cannot use cache and 
wastes resources on doing a recursive query.

When the number of concurrent queries spike, the script counts them by 
domain, and those domains that exceed a defined share (usually over a 
quarter) are temporarily blacklisted via "ubound-control local_zone 
deny" (you can use "reject" too, or serve an authoritative NXDOMAIN 
answer if you prefer). This solution takes advantage of the fact that 
legitimate queries are most often quickly finished, and only the bogus 
ones pile up and clog the server's memory.

This temporary blacklist is cleared once a day automatically. All 
blacklisted zones are logged and I review them regularly, there is an 
absolute minimum of false positives. The script also supports 
whitelisting of zones you never ever want to blacklist.

I can share the script if anyone is interested.

-- 
Best regards,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.ryslink at dialtelecom.cz
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

On 03/31/2015 11:53 PM, Thomas wrote:
> Hi,
>
> We have the same problem.
>
> Attacks are random and with many source IPs (botnets). Therefore it is 
> harder to have an automatic system to block source IPs. Our kind of 
> "workaround" was to increase the request_list size from the default 
> 1024 to a higher number and to enable jostle-timeout to something like 
> 4sec. Therefore requests do not stay too long in the request_list once 
> the box is under load. Manual iptables rules are not maintainable, we 
> only manually block IPs for the biggest hitter. I agree what we are 
> doing is _not_ a fix to the problem because we just allocated more 
> resources to deal with the junk, but jostle-timeout definetely helps. 
> I asked about it almost a year ago on this mailing-list.
>
> Subject: Unbound DDoS / reflexion attack counter-measure ?
> Date: 30/05/14 22:20
>
> > Any solution that can be shared ?
> By trying to find my previous post, I actually realised that I missed 
> Daisuke's email.
>
> Subject: "a mitigation against random subdomain attack"
> Date: 24/03/15
>
> His solution: https://github.com/hdais/unbound-bloomfilter
>
> I will test it when I have a bit of time.
>
> Thomas
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users