Re: [Fail2ban-users] DDOS bind9

[Vik K. <vip...@gm...>]

My goal is not to get this committed to code-base. As I said before the
setup most likely need refinement. I tested it and it works. I only wanted
to share it as a resource where it could be edited by others which is why I
just wanted to post it on wiki for others...
How can I get a wiki account?
Thanks




On Wed, Apr 2, 2014 at 12:49 PM, Tom Hendrikx <to...@wh...> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
> The PR is ok, but the contents arentt (yet). The tests just make sure
> that it's easy to spot errors. Your PR seems to miss a log snippet
> that can be used to test if the jail actually works. Some
> documentation on how things should look like:
> https://github.com/fail2ban/fail2ban/blob/master/FILTERS
>
> If you run into issues, post the logs here, we'll help you. :)
>
> Tom
>
> On 02-04-14 17:33, Vik Killa wrote:
> > Looks like my pull request failed...lol this is why i prefer just
> > adding to wiki
> > https://travis-ci.org/fail2ban/fail2ban/builds/22111129
> >
> >
> >
> > On Wed, Apr 2, 2014 at 11:13 AM, Vik Killa <vip...@gm...
> > <mailto:vip...@gm...>> wrote:
> >
> >
> > Sorry, I thought i was replying to list.... I just signed up for
> > github, i think i did it correctly...
> > https://github.com/fail2ban/fail2ban/pull/677
> >
> > Thanks
> >
> >
> > On Wed, Apr 2, 2014 at 10:54 AM, Tom Hendrikx <to...@wh...
> > <mailto:to...@wh...>> wrote:
> >
> >
> > Hi Vik,
> >
> > please keep replies on-list...
> >
> > Just put it in github, it's easy to clean it up there. I'll take a
> > look at it when it's there. But a wiki is no coding platform :)
> >
> > Tom
> >
> > On 04/02/2014 04:48 PM, Vik Killa wrote:
> >> I think it could stand to be "cleaned up" as I am no expert
> > with regex
> >> and fail2ban... I'd rather post it on wiki and have someone else
> >> push it to
> > GIT after
> >> it's been a bit refined... Thanks
> >>
> >>
> >>
> >> On Wed, Apr 2, 2014 at 10:40 AM, Tom Hendrikx
> > <to...@wh... <mailto:to...@wh...>
> >> <mailto:to...@wh... <mailto:to...@wh...>>> wrote:
> >>
> >>
> >> Hi,
> >>
> >> You should put the jail/config stuff in a github pull
> > request I think.
> >> then everybody can actually use it:)
> >>
> >> Tom
> >>
> >> On 04/02/2014 04:36 PM, Vik Killa wrote:
> >>> new version of BIND has RRL for rate-limiting. in any case,
> >>> i've written a jail and configuration for
> > bind9 that
> >>> protects against DDoS attacks. I'd like to post it on wiki. Can
> >>> someone help me with setting up an account on the
> > fail2ban wiki?
> >>> Thanks
> >>>
> >>>
> >>>
> >>> On Tue, Jul 24, 2012 at 3:38 AM, Fabian Wenk
> > <fa...@we... <mailto:fa...@we...>
> >> <mailto:fa...@we... <mailto:fa...@we...>>
> >>> <mailto:fa...@we... <mailto:fa...@we...>
> > <mailto:fa...@we... <mailto:fa...@we...>>>> wrote:
> >>>
> >>> Hello Yaroslav
> >>>
> >>> On 24.07.2012 00 <tel:24.07.2012%2000>
> > <tel:24.07.2012%2000>
> >> <tel:24.07.2012%2000>:57, Yaroslav Halchenko wrote:
> >>>> just for the sake of my own education:  am I not
> > correct
> >> that use of
> >>>> DNSSEC practically implies use of TCP due to large
> > packet
> >> sizes, thus
> >>>> actually an additional difficulty of spoofing,
> > thus such an
> >> attack
> >>> would
> >>>> be actually more difficult to accomplish... ?
> >>>
> >>> I do not know such details about DNSSEC, but without
> > DNSSEC the
> >>> DNS server does use TCP, if the answer is to large
> > for one packet
> >>> (1500 bytes including IP headers). In this case the
> > server ask
> >>> the resolver back through UDP to redo the request
> > through TCP.
> >>> But currently there are to many possible requests
> > through UDP
> >>> with just a small request, e.g. for ANY, which
> > usually gives in
> >>> proportion a much larger (but less then 1500 byte)
> > answer.
> >>>
> >>> About 3 years ago there was an attack with IN NS
> > requests for the
> >>> . (root) zone, which BIND has answered, even when it
> > was not
> >>> configured for recursion from the outside world. In
> > this case the
> >>> request is very small, but the answer is quite large
> > (but still
> >>> fits into one packet) with all the hostnames and IP
> > addresses for
> >>> the root nameserver from a to m.
> >>>
> >>> If requests with a faked source IP address would be
> > done from
> >>> many systems (a bot net) to a lot of non-involved
> > DNS server,
> >>> then the attacked IP address will get a lot more
> > data traffic
> >>> with the answers from all this non-involved DNS
> > server. So it is
> >>> a good idea to detect such abuse and block it, so
> > your DNS server
> >>> will not be part of this attack.
> >>>
> >>> It is very sad, that many ISPs do not implement best
> > practice and
> >>> only allow outbound traffic with source IP address
> > from their own
> >>> and customer IP ranges. If they would do it, such
> > attacks would
> >>> not be possible, or at least limited to the same ISP.
> >>>
> >>> BIND does not have any kind of rate limiting, but
> > probably this
> >>> is for good, as a lot of things will break when a
> > DNS server does
> >>> not answer the requests from legitimate clients. The
> > only thing
> >>> which safely could be blocked are DNS requests for
> > IN ANY (use a
> >>> reasonable maxretry and short findtime), as there is
> > no technical
> >>> reason for such requests. As far as I know, this are
> > only manual
> >>> request done from humans to debug a domain. Also
> > blocking request
> >>> for domains, for which your DNS server is not
> > authoritative, is
> >>> safe to do. Use it also with a reasonable maxretry
> > and short
> >>> findtime so that at least a few NX answers can get back.
> >>>
> >>>
> >>> bye Fabian
> >>>
> >>>
> >>
> >
> ------------------------------------------------------------------------------
> >
> >
> >> Live Security Virtual Conference
> >>> Exclusive live event will cover all the ways today's
> > security and
> >>> threat landscape has changed and how IT managers can
> > respond.
> >>> Discussions will include endpoint security, mobile security
> >>> and
> > the latest in
> >>> malware threats.
> > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >>> _______________________________________________ Fail2ban-users
> >>> mailing list Fai...@li...
> > <mailto:Fai...@li...>
> >> <mailto:Fai...@li...
> > <mailto:Fai...@li...>>
> >>> <mailto:Fai...@li...
> > <mailto:Fai...@li...>
> >> <mailto:Fai...@li...
> > <mailto:Fai...@li...>>>
> >>>
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >
> ------------------------------------------------------------------------------
> >
> >
> >>
> >>>
> >>>
> >>> _______________________________________________ Fail2ban-users
> >>> mailing list Fai...@li...
> > <mailto:Fai...@li...>
> >> <mailto:Fai...@li...
> > <mailto:Fai...@li...>>
> >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >>>
> >>
> >>
> >>
> >>
> >
> ------------------------------------------------------------------------------
> >
> >
> >
> >> _______________________________________________ Fail2ban-users
> >> mailing list Fai...@li...
> > <mailto:Fai...@li...>
> >> <mailto:Fai...@li...
> > <mailto:Fai...@li...>>
> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >>
> >>
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> _______________________________________________
> > Fail2ban-users mailing list Fai...@li...
> > <mailto:Fai...@li...>
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> >
> >
> > _______________________________________________ Fail2ban-users
> > mailing list Fai...@li...
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTPD+UAAoJEJPfMZ19VO/134IQAM6wXi8HvQJuh8iUo4OyrzVl
> KtQpNAtddbs2clhS9wlcN4rDKMEaDY4RL8aSzxKVRWCJHRfNMBYiyGyaRMkd0bWs
> Gm+znsp1JRVlhyhpY3TlHmT7YTdUz62qW1rCcBOFkVV5RGjMpCcK0EdfSqe/rETt
> /dYBDt4S9NSNRGhLcVtBtV+3SspMEFSmUY1VfqPVtoU4tMfRjXCqfOHVM+FC9Wtj
> 49x5NgIsBAbPg+agTQqTu+IzkDZePtMxipEatt5PruHCoFUmlcyBcvUXtLBBLOkM
> VV4ObL2Mpx9/qvCSfV2d/brxaMbeOIcryeeLXkxgsBr0atLScYl9CHet8TTmPbgP
> gnkuQ4OrOLIoXCSHWBtU9uVsRPM6JZeEqdV70EbF0eThzprS1W9XZlj+87YE/FX5
> DFJZkymrVM2hES0RJj5BrTeEq4AyEPmQdeWTI1M2FaZHvNL2WPlI0rNuZeUz5Fgs
> yFsM7E+g8o+cgM/Z7SARkIkSthd14ybQIJ/VUAch7bth2IxUQXhXNZr0KruVjij6
> vetEgXywh8/utVubx51hQpUDq8uY0MDe46rNHDN5S0exrmFwNVfcvuRTH1rQDFhc
> jYBAxuhY68hKLhfu6Q62RHz9BuAlHrzDUCJm2BPtl/wzOgnK+t977B3NRFuxy+W5
> JGf1GBtRdwwNyoLPkeQp
> =JEMy
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>