Pi-hole server involved in a 'DNS Amplification' DDOS Attack
-
Although I do wonder how Google manages. . . .
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Although I do wonder how Google manages. . . .
How does Cloudflare mitigate DNS amplification attacks?
With a properly configured firewall and sufficient network capacity (which isn't always easy to come by unless you are the size of Cloudflare), it's trivial to block reflection attacks such as DNS amplification attacks. Although the attack will target a single IP address, our Anycast network will scatter all attack traffic to the point where it is no longer disruptive. Cloudflare is able to use our advantage of scale to distribute the weight of the attack across many Data Centers, balancing the load so that service is never interrupted and the attack never overwhelms the targeted server’s infrastructure. During a recent six month window our DDoS mitigation system "Gatebot" detected 6,329 simple reflection attacks (that's one every 40 minutes), and the network successfully mitigated all of them. Learn more about Cloudflare's advanced DDoS Protection.
Source: https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
-
Source IP verification – stop spoofed packets leaving network
Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress filtering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks and help them realize their vulnerability.
-
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
But you still want it when not at home.
Not worth the effort.
-
@JaredBusch said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
But you still want it when not at home.
Not worth the effort.
I agree with this mostly because it will break and portal based open wifi someone tries to use.
But if a user is using their own cellphone/mifi, etc to get online while away from home - it could be worth it.
-
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Source IP verification – stop spoofed packets leaving network
Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress filtering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks and help them realize their vulnerability.
hmm... I think someone posted something like this higher in the thread.
-
@Dashrender yeah it was me who said it around post 20.
-
@DustinB3403 didn't you say the method above would only work for devices on the Pi-Hole's LAN?
-
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 didn't you say the method above would only work for devices on the Pi-Hole's LAN?
The method linked by someone else would, yes. As it's impractical to try to do said linked approach for the open internet.
Again, it's what you would do, but isn't practical because of your scale.
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
But the reported issue is that these request appear to come from your devices. IE they are spoofed or are legitimately coming from your trusted network.
Can you setup ingress filtering for this?
This is the approach proposed by Curtis.
@Curtis said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/
