Hey Everybody,
I recently saw iftop showing a couple "connections" of ~200Kbps persistently on a box and because this wasn't the usual, I looked into it. Turns out it was caused by DNS lookups of type ANY ripe.net repeatedly. I can only assume this is an amplification attack. This box uses BIND 9.9.1-P3 is public facing and does recursive lookups (also authoritative). Now that that's out of the way, I'm looking/thinking of ways the prevent this obviously. This isn't causing a problem on a 100Mb link now but could get there quickly. As far as I know I don't have a lot of options, maybe iptables with some sort of limiting. ACLs would normally help, and would be perfect if I could get it to use a SQL database as the backend, and use that as a whitelist to at least mitigate the issue. If anyone has experience on the subject or an idea, it is much appreciated.
Regards, Paul