Hi,

Nmap shows you have port 53 open to the internet. This is a really bad idea as it opens you up to DNS amplification attacks.

You need to block port 53 on your firewall ( Hugo has provided iptables rules to do this in an earlier message, although you should drop from everywhere not just this specific IP ). 9/10 opening port 53 to the internet is not a good move

Thanks,
Ben



On Sun, Jul 24, 2022 at 13:22, Hugo Mills via BitFolk Users <users@mailman.bitfolk.com> wrote:
On Sun, Jul 24, 2022 at 01:05:55PM +0100, Ian Bowden via BitFolk Users wrote:
> My VPS is receiving 250 connections per second from an IP 51.81.86.37. This
> started yesterday evening. I've no idea who is doing it or why.
>
> The logfiles are filling up as fast as I can delete them, but my website
> keeps falling over as all the disk space has been filled.
>
> Sample from syslog:
>
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#44122 (.): query (cache) './ANY/IN' denied
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#44122 (.): query (cache) './ANY/IN' denied
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
> Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
> 51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
>
> The IP belongs to a cloud hosting service, OVH. I've written an email to
> abuse@ovh.ca, but I don't hold out much hope of them sorting it out.
>
> Does anyone have a suggestion for how I should proceed?
>
> Ian.

At least for now, I'd suggest blocking (dropping) that IP address
with some firewall rules. I believe that iptables has been superseded
by bpfilter, but I've never used the latter. In case the iptables
interface still works, I'd do something like:

# iptables --append INPUT --source 51.81.86.37 --match tcp --dport 53 --jump DROP
# iptables --append INPUT --source 51.81.86.37 --match udp --dport 53 --jump DROP

This will block any traffic to the DNS port from that IP address.

Hugo.

--
Hugo Mills | The English language has the mot juste for every
hugo@... carfax.org.uk | occasion.
http://carfax.org.uk/ |
PGP: E2AB1DE4 |
_______________________________________________
BitFolk Users mailing list <users@mailman.bitfolk.com>
You're subscribed as <0x620x64@protonmail.com>
Unsubscribe: <https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.com/>
or send an email to <users-leave@mailman.bitfolk.com>