HIgh CPU usage on named (bind)
Last few months we ve noticed that our hosting servers suffer high cpu usage (even 24 cores ones)
After examination it showe that the cause is simple: named causes high load.
The cause was DNS DOS queries (even if the server is set up as authoritative only, and is not an open resolver)
To fix this we managed a script that is able to recognise the attacking ip and block it via csf.
to implement it :
Now when dns ddoser will be tryng to flood you with requests the firewall autamatically block attacker ip causing load to drop dramatically. Well it is just 1st version of the script so feel free to improve that. Best Regards Konrad Olszewski
1. install CSF (Config Server Firewall) and enable (testing=0)
2. make a script in /root
#touch /root/dnsddos.sh
#vi /root/dnsddos.sh
then copy/paste:
#!/bin/bash
IFS=$'\n'
a=x.y.z
rm -f /tmp/dnsddos.catch
rm -f /tmp/dnsddos.count
touch /tmp/dnsddos.count
tcpdump -i eth0 -n -c 200 udp dst portrange 53 |cut -f3 -d' ' |cut -f1-4 -d '.' |grep -v $a |grep -v packets > /tmp/dnsddos.catch
uniq -c -d /tmp/dnsddos.catch | sed -e 's/^ *//' -e 's/ *$//' > /tmp/dnsddos.count
for i in $(cat /tmp/dnsddos.count)
do
c=$(echo $i |cut -f1 -d' ')
p=$(echo $i |cut -f2 -d' ')
if test $c -ge 60
then
/usr/sbin/csf -d $p ' DNS DDOSER'
fi
done
3. change a= line to something like a=192.168.0 using 3 first records of your server ip instead of 192.168.0
4. #chmod 777 /root/dnsddos.sh
5. edit /etc/csf/csf.conf
and change lines below to be as :
PT_LOAD = "30"
PT_LOAD_AVG = "1"
PT_LOAD_LEVEL = "10"
PT_LOAD_SKIP = "900"
PT_LOAD_ACTION = "/root/dnsddos.sh"
6.#/etc/init.d/csf restartNow when dns ddoser will be tryng to flood you with requests the firewall autamatically block attacker ip causing load to drop dramatically. Well it is just 1st version of the script so feel free to improve that. Best Regards Konrad Olszewski
-
Hello :) Thank you for taking the time to provide this script. I've moved this to our "Security" forum as it will likely receive more user-feedback and visibility here. 0
Please sign in to leave a comment.
Comments
1 comment