-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create named-ddos.conf #677
Conversation
example log lines, which would help also to understand what kind of DoS we're talking about. Note that it is highly unrecommended to monitor/ban UDP traffic where IP could be spoofed, that is why we current |
Also take a look at https://github.com/fail2ban/fail2ban/blob/master/FILTERS as your regex isn't anchored at the start. Sample definitely required (which is why the test failed).
Looks like a warning and commented out to me - https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf#L563 |
Oh, and is this really a DoS incurring significant resource use of a patched named process or just some log message that you don't want to see? |
Re: WARNING -- I must go to bed, since now not sure how I could have missed it (empty line in comment in vim made me sure that as for DoS and patched named process -- not sure what patch are you talking about ? |
Ignoring the spoofing of IP addresses for the time being, this is a named-ddos filter. If the log messages that are occurring aren't a DDOS of named process then why should we be doing a filter for it? |
example log: In the DDoS attack we experienced, the IPs were not spoofed. On Wed, Apr 2, 2014 at 10:26 PM, Daniel Black notifications@github.comwrote:
|
This fail2ban jail will basically do a form or rate-limiting on queries On Thu, Apr 3, 2014 at 8:03 AM, e schmidbauer e.schmidbauer@gmail.comwrote:
|
DNS amplification attacks rely on spoofing the source IP (the target); however, you say the IPs were not spoofed. Is this attempting to accomplish something similar to: https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html ? The placement in jail.conf seems a little odd since it is in between the comments for named-refused and the named-refused configuration. The warning should also be clear that it applies to both named-refused and named-ddos. |
I suggest this be closed, as it seems generally the wrong approach to a perceived problem - at best. Worse case, it needs to be fixed up quite a bit and hasn't been in almost a year. |
thus closing for now. I am also adding a new tag "closed-for-no-activity" |
This stuff probably needs to be cleaned up.