Hi, Yesterday morning we were notified via abuse report that two customer VPSes had participated in distributed denial of service attack on a remote site. The vector of attack was to abuse the customer's recursive nameserver with forged queries for a large record in the DNS, turning a 78 byte query into a 4KiB response - 52x amplification of traffic. Each customer only contributed around 800kbit/sec to the attack, but many thousands of insecure resolvers will have been abused in total. Firewall rules were put in place on BitFolk's side to deny UDP port 53 access to the customer's VPSes and customers were contacted to arrange for correction of their configuration. A full scan of BitFolk IP space was then undertaken and one more customer with an insecure resolver was discovered. In this case rather than the usual installation of BIND, it turned out to be dnsmasq. They have since corrected this. I would like to take this opportunity to remind those operating nameservers on their VPSes that recursion should only be offered to trusted hosts, not the entire Internet. Allowing arbitrary hosts to issue recursive queries can lead to participation in DDoS attacks (as seen here) and other unpleasant outcomes. For these reasons open recursive nameservers are not permitted on BitFolk's network. https://bitfolk.com/orns.html Cheers, Andy About this email: https://tools.bitfolk.com/wiki/Security_incident_postings -- http://bitfolk.com/ -- No-nonsense VPS hosting