Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create named-ddos.conf #677

Closed
wants to merge 2 commits into from
Closed

Create named-ddos.conf #677

wants to merge 2 commits into from

Conversation

eschmidbauer
Copy link

This stuff probably needs to be cleaned up.

@yarikoptic
Copy link
Member

example log lines, which would help also to understand what kind of DoS we're talking about. Note that it is highly unrecommended to monitor/ban UDP traffic where IP could be spoofed, that is why we current named-refused does it only for TCP (I am confused now though why in comments we still have construct for udp without any warning... could anyone remind?)

@grooverdan
Copy link
Contributor

Also take a look at https://github.com/fail2ban/fail2ban/blob/master/FILTERS as your regex isn't anchored at the start. Sample definitely required (which is why the test failed).

(I am confused now though why in comments we still have construct for udp without any warning... could anyone remind?)

Looks like a warning and commented out to me - https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf#L563

@grooverdan
Copy link
Contributor

Oh, and is this really a DoS incurring significant resource use of a patched named process or just some log message that you don't want to see?

@yarikoptic
Copy link
Member

Re: WARNING -- I must go to bed, since now not sure how I could have missed it (empty line in comment in vim made me sure that # IMPORTANT was the beginning of that jail definition), I guess due to red-eye flight yesterday from CA ;)

as for DoS and patched named process -- not sure what patch are you talking about ?
as for resource use -- it would not be DoS through resources' exhaustion, I could just spoof IP to be banned via UDP query, or have I missed the point again? ;-)

@grooverdan
Copy link
Contributor

as for DoS and patched named process -- not sure what patch are you talking about ?
as for resource use -- it would not be DoS through resources' exhaustion

Ignoring the spoofing of IP addresses for the time being, this is a named-ddos filter. If the log messages that are occurring aren't a DDOS of named process then why should we be doing a filter for it?

@eschmidbauer
Copy link
Author

example log:
02-Apr-2014 10:45:45.027 client 71.13.201.15#49621: query: yahoo.com IN A +
(71.13.201.15)

In the DDoS attack we experienced, the IPs were not spoofed.
It was this type of attack:
http://dnsamplificationattacks.blogspot.com/2014/01/domain-zong.html

On Wed, Apr 2, 2014 at 10:26 PM, Daniel Black notifications@github.comwrote:

as for DoS and patched named process -- not sure what patch are you
talking about ?
as for resource use -- it would not be DoS through resources' exhaustion

Ignoring the spoofing of IP addresses for the time being, this is a
named-ddos filter. If the log messages that are occurring aren't a DDOS of
named process then why should we be doing a filter for it?

Reply to this email directly or view it on GitHubhttps://github.com//pull/677#issuecomment-39406439
.

@eschmidbauer
Copy link
Author

This fail2ban jail will basically do a form or rate-limiting on queries
from a source IP address which effectively CAN prevent a DDoS attack.
Please consider my configuration, although, I know it needs to be cleaned
up quite a bit. (I only wanted to share my configuration with community and
asked about posting to wiki but I was told to try to push this into GIT
instead)
Thanks

On Thu, Apr 3, 2014 at 8:03 AM, e schmidbauer e.schmidbauer@gmail.comwrote:

example log:
02-Apr-2014 10:45:45.027 client 71.13.201.15#49621: query: yahoo.com IN A

  • (71.13.201.15)

In the DDoS attack we experienced, the IPs were not spoofed.
It was this type of attack:
http://dnsamplificationattacks.blogspot.com/2014/01/domain-zong.html

On Wed, Apr 2, 2014 at 10:26 PM, Daniel Black notifications@github.comwrote:

as for DoS and patched named process -- not sure what patch are you
talking about ?
as for resource use -- it would not be DoS through resources' exhaustion

Ignoring the spoofing of IP addresses for the time being, this is a
named-ddos filter. If the log messages that are occurring aren't a DDOS of
named process then why should we be doing a filter for it?

Reply to this email directly or view it on GitHubhttps://github.com//pull/677#issuecomment-39406439
.

@leeclemens
Copy link
Contributor

DNS amplification attacks rely on spoofing the source IP (the target); however, you say the IPs were not spoofed.

Is this attempting to accomplish something similar to: https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html ?

The placement in jail.conf seems a little odd since it is in between the comments for named-refused and the named-refused configuration. The warning should also be clear that it applies to both named-refused and named-ddos.

@leeclemens
Copy link
Contributor

I suggest this be closed, as it seems generally the wrong approach to a perceived problem - at best. Worse case, it needs to be fixed up quite a bit and hasn't been in almost a year.

@yarikoptic
Copy link
Member

thus closing for now. I am also adding a new tag "closed-for-no-activity"

@yarikoptic yarikoptic closed this Jan 28, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
closed-for-no-activity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@eschmidbauer @yarikoptic @grooverdan @leeclemens