ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Automatic Block DNS floods?

https://mail.forum.configserver.com/viewtopic.php?t=3748

Page 1 of 1

Automatic Block DNS floods?

Posted: 18 Aug 2010, 10:21
by Snas
Hi Guys,

in my /var/log/messages i found lots of entry's (about 20 requests a second):
Aug 18 11:17:14 Player named[3706]: client 81.27.102.20#64048: query (cache) './NS/IN' denied
Aug 18 11:17:14 Player named[3706]: client 81.27.102.20#32688: query (cache) './NS/IN' denied
Aug 18 11:17:14 Player named[3706]: client 81.27.102.20#27528: query (cache) './NS/IN' denied
Aug 18 11:17:14 Player named[3706]: client 81.27.102.20#26478: query (cache) './NS/IN' denied
Aug 18 11:17:14 Player named[3706]: client 81.27.102.20#38763: query (cache) './NS/IN' denied
Aug 18 11:17:14 Player named[3706]: client 81.27.102.20#28586: query (cache) './NS/IN' denied
Aug 18 11:17:15 Player named[3706]: client 81.27.102.20#57290: query (cache) './NS/IN' denied
Aug 18 11:17:15 Player named[3706]: client 81.27.102.20#41726: query (cache) './NS/IN' denied
Aug 18 11:17:15 Player named[3706]: client 81.27.102.20#56843: query (cache) './NS/IN' denied
Aug 18 11:17:15 Player named[3706]: client 81.27.102.20#17108: query (cache) './NS/IN' denied
Aug 18 11:17:15 Player named[3706]: client 81.27.102.20#30559: query (cache) './NS/IN' denied
it turns out, somebody is dns flooding me, my server then generates lots of IO on my SAN which causes other servers to run a bit slower.

I've enabled "LF_BIND=100' but the flood keeps on going...

I've blocked another IP by hand yesterday but a new one started to flood me again.. I also can block this IP by hand, but could it also be done automaticly by CSF?

thanks!

Server is a Cent OS 5.4 with DirectAdmin installed
Linux Player.HOST 2.6.18-194.11.1.el5 #1 SMP Tue Aug 10 19:05:06 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2

Re: Automatic Block DNS floods?

Posted: 18 Aug 2010, 10:44
by Snas
Must have something todo with the code in: regex.pm

Code: Select all

#BIND
        if (($config{LF_BIND}) and ($lgfile eq $config{BIND_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: client (\S+)\#\d+\:( view external\:)? (update|zone transfer) \'.*\' denied$/)) {
        $ip = $2; $acc = ""; $ip =~ s/^::ffff://;
                if (&checkip($ip)) {return ("bind triggered by","$ip|$acc","bind")} else {return}
        }

Re: Automatic Block DNS floods?

Posted: 18 Aug 2010, 10:52
by Snas
ok, found the sollution....

in the #BIND section in /etc/csf/regex.pm

original line:

Code: Select all

$line =~ /^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: client (\S+)\#\d+\:( view external\:)? (update|zone transfer) \'.*\' denied$/)) {
i've modified it to match my dns flood...

Code: Select all

$line =~ /^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ named\[\d+\]: client (\S+)\#\d+\:( view external\:)? (query \(cache\)|update|zone transfer) \'.*\' denied$/)) {
(added: query \(cache\)| to the "update|zone transfer" section

Could this be included in the next release of CSF? as this wil be overwritten by a update?

Thanks!

Re: Automatic Block DNS floods?

Posted: 09 Sep 2010, 09:26
by chirpy
I'll look at adding that to the regex.

Re: Automatic Block DNS floods?

Posted: 02 Oct 2010, 09:19
by chirpy
This has now been added in csf v5.10
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited