Re: [bitfolk] DDOS attempts

Hello, On Sun, Sep 30, 2018 at 08:31:03PM +0100, Matt Holgate wrote: Yes, but they're not attacking you, they are forged requests attacking the source IPs. There's a lot of it about at the moment. Apparently there is enough amplification that just using any open TCP service is good enough. The biggest problem is UDP services which allow amplification. That's why we scan for open DNS resolvers and open portmappers, and ask customers to firewall them or disable them. Some of these services have ridiculous amplification factors like 1,000x. Recently we had a spate of customer authoritative DNS servers being used for this. By sending forged queries for a very large DNS answer it is possible to get something like 30x amplification from an otherwise properly configured authoritative DNS server. So, if running your own DNS servers you should consider rate-limiting queries. BIND as this feature built in; PowerDNS recommends putting dnsdist in front of it for this purpose. Any kind of UDP service these days needs careful consideration before making available to the whole Internet because of the lack of TCP three way handshake makes spoofing so much easier. When it comes to TCP servers there isn't a huge amount you can do. I think that with modern Linux kernels (>= 3.x) it is okay to enable SYN cookies. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting