Maintained by: NLnet Labs

[Unbound-users] Random subdomain flood query

Thomas
Tue Mar 31 23:53:54 CEST 2015


Hi,

We have the same problem.

Attacks are random and with many source IPs (botnets). Therefore it is 
harder to have an automatic system to block source IPs. Our kind of 
"workaround" was to increase the request_list size from the default 1024 
to a higher number and to enable jostle-timeout to something like 4sec. 
Therefore requests do not stay too long in the request_list once the box 
is under load. Manual iptables rules are not maintainable, we only 
manually block IPs for the biggest hitter. I agree what we are doing is 
_not_ a fix to the problem because we just allocated more resources to 
deal with the junk, but jostle-timeout definetely helps. I asked about 
it almost a year ago on this mailing-list.

Subject: Unbound DDoS / reflexion attack counter-measure ?
Date: 30/05/14 22:20

 > Any solution that can be shared ?
By trying to find my previous post, I actually realised that I missed 
Daisuke's email.

Subject: "a mitigation against random subdomain attack"
Date: 24/03/15

His solution: https://github.com/hdais/unbound-bloomfilter

I will test it when I have a bit of time.

Thomas