Hi,

If this is a DNS Amplification attack then 51.81.86.37 isn't the source of the attack, they're the victim. The abuser is using a spoofed IP address to get your DNS resolver to do the attacking for them. Your resolver has accidentally become one of the mob hit men. I would recommend you configure your resolver not to answer queries  for domains that aren't yours from the wide world.

Sadly, since your abuser is using a spoofed IP address, they won't know you blocked them because the replies are going to the victim so this may continue for some while after you make the config change, probably until the perp gives up on this vivtim and hopefully checks you resolver is still working before they move on to the next one.

Best regards,
Paul


On 24/07/2022 14:24, Ben via BitFolk Users wrote:
Hi,

Nmap shows you have port 53 open to the internet. This is a really bad idea as it opens you up to DNS amplification attacks.

You need to block port 53 on your firewall ( Hugo has provided iptables rules to do this in an earlier message, although you should drop from everywhere not just this specific IP ). 9/10 opening port 53 to the internet is not a good move

Thanks,
Ben



On Sun, Jul 24, 2022 at 13:22, Hugo Mills via BitFolk Users <users@mailman.bitfolk.com> wrote:
On Sun, Jul 24, 2022 at 01:05:55PM +0100, Ian Bowden via BitFolk Users wrote:
> My VPS is receiving 250 connections per second from an IP 51.81.86.37. This
> started yesterday evening. I've no idea who is doing it or why.
>
> The logfiles are filling up as fast as I can delete them, but my website
> keeps falling over as all the disk space has been filled.
>
> Sample from syslog:
>
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#44122 (.): query (cache) './ANY/IN' denied
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#44122 (.): query (cache) './ANY/IN' denied
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
>
> The IP belongs to a cloud hosting service, OVH. I've written an email to
> abuse@ovh.ca, but I don't hold out much hope of them sorting it out.
>
> Does anyone have a suggestion for how I should proceed?
>
> Ian.

At least for now, I'd suggest blocking (dropping) that IP address
with some firewall rules. I believe that iptables has been superseded
by bpfilter, but I've never used the latter. In case the iptables
interface still works, I'd do something like:

# iptables --append INPUT --source 51.81.86.37 --match tcp --dport 53 --jump DROP
# iptables --append INPUT --source 51.81.86.37 --match udp --dport 53 --jump DROP

This will block any traffic to the DNS port from that IP address.

Hugo.

--
Hugo Mills | The English language has the mot juste for every
hugo@... carfax.org.uk | occasion.
http://carfax.org.uk/ |
PGP: E2AB1DE4 |
_______________________________________________
BitFolk Users mailing list <users@mailman.bitfolk.com>
You're subscribed as <0x620x64@protonmail.com>
Unsubscribe: <https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.com/>
or send an email to <users-leave@mailman.bitfolk.com>

_______________________________________________
BitFolk Users mailing list <users@mailman.bitfolk.com>
You're subscribed as <paul@stimpsonfamily.co.uk>
Unsubscribe: <https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.com/>
or send an email to <users-leave@mailman.bitfolk.com>