So I've been having DoS flood attacks semi-regularly hit my DNS servers. They were built on Windows 2003, so there's no real effective way to proactively filter out the offending IP addresses. So, I decided to redeploy the DNS servers as BIND on Linux boxes. To fascilitate automatic banning of IPs, I employed fail2ban. It monitors my BIND access logs and automagically bans (via IPTables) anyone who queries more than 200 times in 10 seconds (safe level, based on realistic usage of our name servers and the domains we host).
It's also got pretty cool features such as:
Monitors SSH logs and automatically bans anyone who fails authentication more than 4 times in 10 minutes, and then emails me the IP and whois information.
Only drawbacks are the latency of the log file monitoring. For instance, I had one IP yesterday effect 500,000 DNS requests, which so overloaded the system that fail2ban took almost 10 minutes to kick off and block it. Fail2ban then proceeded to attempt to block it roughly 2000 more times. It's got some quirks, but it's a hell of a lot more helpful than waiting for DNS to stop responding and then using wireshark to find the IP and filter it at the firewall.
Anyway, just a PSA that everyone here should know about.
It's also got pretty cool features such as:
Monitors SSH logs and automatically bans anyone who fails authentication more than 4 times in 10 minutes, and then emails me the IP and whois information.
Only drawbacks are the latency of the log file monitoring. For instance, I had one IP yesterday effect 500,000 DNS requests, which so overloaded the system that fail2ban took almost 10 minutes to kick off and block it. Fail2ban then proceeded to attempt to block it roughly 2000 more times. It's got some quirks, but it's a hell of a lot more helpful than waiting for DNS to stop responding and then using wireshark to find the IP and filter it at the firewall.
Anyway, just a PSA that everyone here should know about.
Facebook
Twitter