[dns-operations] Botnets, botnets everywhere

bert hubert bert.hubert at netherlabs.nl
Thu Sep 11 13:12:49 UTC 2014


On Thu, Sep 11, 2014 at 04:38:25PM +0400, Peter Andreev wrote:
> I'd like to ask the respected community, how do you detect and protect
> against such activity? Will RRL help me if all suspected queries come
> with random qname?

No, it will probably not, since the answers are all servfails.

PowerDNS Recursor 3.6.0 and beyond contain logic that globally detects
nameservers that are already dead, and stops sending further queries, it can
reduce flow by 99% for example (with only 1 infrequent ping query to see if
a server is up again).

But we still get flooded by the traffic which wastes CPU and degrades
performance.

http://comments.gmane.org/gmane.network.dns.operations/3764 this thread has
some wisdom too on generating filters for BIND.

It should be possible to do this in some smarter fashion within a
nameserver, but the real solution is to target the clients sending you such
queries, which tend to be DNS forwarders or botnet members in their own
right.

There is far more harm they could inflict otherwise..

-- 
PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372



More information about the dns-operations mailing list