Skip to main content.

2009-Jan-28

I had been using blackhole{} in my named options to stop responding to the spoofed UDP sources. The correct DNS response is REFUSED (not giving them referals). But over time I know these are not correct DNS queries and I assume they aren't really from the source address, so I choose to not respond at all.

This is for ongoing DDoS attacks that I was participating in as are many other DNS operators. In my case, I was only replying with same amount of traffic as I received (REFUSED), but many DNS servers are configured to actually provide a list of other nameservers to ask instead causing the response to be maybe five times larger. You can learn more at DNS-OARC: https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful (but note that it is different targets now).

So I decided to use PF which makes it easier than editing named.conf and reconfig. In my /etc/pf.conf, I added: 

table <dns-ddos> persist
...
block drop in on $ext_if proto udp from <dns-ddos> to any port domain

Then reloaded my PF rulesets. Then I add IPs to drop: 

 /sbin/pfctl  -t dns-ddos -T add 76.9.16.171

I also asked my upstream providers to help track the spoofed addresses and to encourage them to deploy BCP38 to make sure they don't allow bogus source addresses originating in their own space.

I haven't added all the spoofed IPs hitting me yet, but here are some: 

# /sbin/pfctl -q -t dns-ddos -T show
   63.217.28.226
   64.57.246.146
   66.230.160.1
   67.192.144.0
   76.9.16.171