Survive from DDoS

[Jos Chrispijn]

Kalpin Erlangga Silaen wrote:
> yesterday, our shell server was attack and server immeditiately reboot.
> I checked logs, it likes UDP flood with destination port 53. Is there
> any way how to survive from this kind attack?

(i)
Do a "grep 53 /etc/services" and search for ports 53 on both tcp and udp.
Use tcpdump to examine the traffic to see if you can find out what is
making the requests.

(ii)
You could set up a caching-only name server. By default, the queries
would be performed through a random port, and any previous queries would
reference the cache, rather than rely on the remote DNS.

(iii)
I found this on the net:

You could tie your address resolution to a group.

Say, for instance, you create a group called "resolve", and add yourself
to it and root (for ports):

# pw groupadd resolve -M root,you

Then, just add something like this to IPFW rule set, replacing the
example DNS addresses with your actual addresses:

DNS1="1.2.3.4"
DNS2="5.6.7.8"

add pass udp from any 53 to { DNS1 or DNS2 } 53 out gid resolve keep-state

That would have the effect of blocking anything outward-bound from port
53, except that of address queries by you and root.

If you're running a caching-only NS, set-up "bind" as a member of the
group, and your firewall line w/o the port 53 specification:

# pw groupadd resolve -M bind

add pass udp from any 53 to { $DNS1 or $DNS2 } 53 out gid resolve keep-state
add pass udp from any to { $DNS1 or $DNS2 } 53 out gid resolve keep-state

That will block everyone but bind from querying the remote DNS server.

-- cut --

I hope this helps...
Jos

-- My other computer is a *BBC Model B+
*