Pi-hole server involved in a 'DNS Amplification' DDOS Attack
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@Curtis said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/
That filtering will only work for LAN only, at least as documented and would be troublesome to complete for this use case as @bnrstnr is hosting a public DNS for friends and family. All of whom likely are in different public networks.
Yup, very little that can be done.
-
Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.
Is there a reason to have this setup like this besides it being cool?
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.
Is there a reason to have this setup like this besides it being cool?
Uses a fraction of the resources, can work for people who are mobile, etc.
-
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.
Is there a reason to have this setup like this besides it being cool?
Uses a fraction of the resources, can work for people who are mobile, etc.
That's true but he wouldn't need to deal with issues like the one he's currently dealing with.
Edit this also assumes that at least on their mobile computers (laptops) that the DNS is statically configured.
Seems like a bad approach.
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.
Is there a reason to have this setup like this besides it being cool?
Uses a fraction of the resources, can work for people who are mobile, etc.
That's true but he wouldn't need to deal with issues like the one he's currently dealing with.
Edit this also assumes that at least on their mobile computers (laptops) that the DNS is statically configured.
Seems like a bad approach.
It's how Cisco and others handle it.
This issue doesn't come up often. Never seen it previously.
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.
How would I set it up individually for everybody? None of my friends or family has a raspberry pi, server, or anything that could run it. I use a $2.50 instance on vultr.
-
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Dumb question for @bnrstnr why not setup PiHole individually for each of your friends and families networks rather than dealing with a public DNS for everyone.
How would I set it up individually for everybody? None of my friends or family has a raspberry pi, server, or anything that could run it. I use a $2.50 instance on vultr.
They'd need one of those thing each for themselves to run it individually.
Scott's post points out why that's likely a less than desirable solution.
-
@bnrstnr Dash beat me to the answer.
But yeah, you'd setup a Pi in each person's network and then configure their local DNS to use the PiHole.
-
The occasional complaint is nothing something I would worry about - especially when you're doing nothing wrong - I wouldn't change anything from what you have today. it's way to flexible and low cost to worry about changing.,
-
@Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
The occasional complaint is nothing something I would worry about - especially when you're doing nothing wrong - I wouldn't change anything from what you have today. it's way to flexible and low cost to worry about changing.,
That's the way I'm leaning, too. I might try to do some geo-blocking, but I doubt I'll ever get to it. Especially since nobody here has seen this before on their piholes.
-
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
The occasional complaint is nothing something I would worry about - especially when you're doing nothing wrong - I wouldn't change anything from what you have today. it's way to flexible and low cost to worry about changing.,
That's the way I'm leaning, too. I might try to do some geo-blocking, but I doubt I'll ever get to it. Especially since nobody here has seen this before on their piholes.
I don't think anyone else here is using PiHole as a public DNS. . .
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@bnrstnr said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@Dashrender said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
The occasional complaint is nothing something I would worry about - especially when you're doing nothing wrong - I wouldn't change anything from what you have today. it's way to flexible and low cost to worry about changing.,
That's the way I'm leaning, too. I might try to do some geo-blocking, but I doubt I'll ever get to it. Especially since nobody here has seen this before on their piholes.
I don't think anyone else here is using PiHole as a public DNS. . .
I am.
-
@DustinB3403 said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@bnrstnr Dash beat me to the answer.
But yeah, you'd setup a Pi in each person's network and then configure their local DNS to use the PiHole.
That's non-trivial for home users or really small SMBs. You need somewhere to run that and most people don't have servers.
-
Had the same thing happen to my Vultr Pi-Hole.. I deleted the server for the time being.. and may not rebuild.
-
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Had the same thing happen to my Vultr Pi-Hole.. I deleted the server for the time being.. and may not rebuild.
I thought you had a WARNING that it COULD happen, not that it DID happen.
-
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Had the same thing happen to my Vultr Pi-Hole.. I deleted the server for the time being.. and may not rebuild.
I thought you had a WARNING that it COULD happen, not that it DID happen.
Correct.. the notice came in over the weekend.
-
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Had the same thing happen to my Vultr Pi-Hole.. I deleted the server for the time being.. and may not rebuild.
I thought you had a WARNING that it COULD happen, not that it DID happen.
Correct.. the notice came in over the weekend.
Right, totally different. One is being told you have an open port, which is essentially guaranteed to happen as Vultr does that every few days. The other is very unlikely, an actual attack.
Everyone on Vultr gets the one. When we said that no one else has had this happen, you didn't have it happen either.
-
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Had the same thing happen to my Vultr Pi-Hole.. I deleted the server for the time being.. and may not rebuild.
I thought you had a WARNING that it COULD happen, not that it DID happen.
Correct.. the notice came in over the weekend.
You can limit the access to port 53 to the locations (Homes and offices) that use your Pi-Hole in Vultr. That is how I had it on Google DNS.
-
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@scottalanmiller said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
@gjacobse said in Pi-hole server involved in a 'DNS Amplification' DDOS Attack:
Had the same thing happen to my Vultr Pi-Hole.. I deleted the server for the time being.. and may not rebuild.
I thought you had a WARNING that it COULD happen, not that it DID happen.
Correct.. the notice came in over the weekend.
Right, totally different. One is being told you have an open port, which is essentially guaranteed to happen as Vultr does that every few days. The other is very unlikely, an actual attack.
Everyone on Vultr gets the one. When we said that no one else has had this happen, you didn't have it happen either.
This is what I received:
Dear Customer, This abuse ticket requires your immediate attention. Please correct the matter and reply to this ticket with resolution within the next 48 hours to ensure uninterrupted service. Overwhelming evidence of violation/compromise may result in VPS suspension prior to the 48 hour deadline to protect system and additional customer resources. -- Complaint Response Team -- To update or check the progress of your ticket, please reply directly to this e-mail or visit:
-
@gjacobse Vultr is seeing the traffic spike on your instance, to levels way beyond what is normal and likely for a sustained amount of time.
Thus they are telling you to fix whatever is wrong or they are shutting you down.