Zombie Bot Back-Draft?

Starting on about the 27th of July, sema.cz became the dns query flood from all around the world in huge numbers (@350,000 requests per hour; hundreds of sources).

Suddenly, in sync with Aug 1 (00:00:00) rolling in around the globe (asia, Europe, etc):
It stopped.

All of the ‘watch words’ we’ve been jamming in fail2ban vanished.  By 00:00:00 Eastern US: 1 ip in the 2 hour block box.  At 12:00:00 (pm) July 31: 1000+.

Whatever time-bomb went off and killed all the zombie bots – hoozah.

There is something very creepy about it, though.

When (in the zombie apocalypse wars) you get a ‘tides have gone out’ moment: fortify defenses.

Updated fail2ban from 8.8 to 8.10.  Lots of features and fixes noted at their site – hope so, have had some trouble with fail2ban 8.8 and this recent assault.

In the last 2 weeks we have put some smarter rules in effect: empty zones with ‘deny’ default in /etc/named.conf

// sema.cz 7.29.13 - 7.30.13 100s
zone "sema.cz" {
        type master;
        allow-query { none; };
        allow-transfer { none; };
        file "named.empty";

This, of course, adds some bloat to the logs ( /IN/ANY denied line ). But it doesn’t go upstream.

More later, if the DNS ddos returns, or if time permits.

******** 8.1.13 (later in the day) update *********

Still too quiet after 100s-of-millions of attempts over the last 2 months.

The couple that have appeared reveal that the updated fail2ban tries to be nicey-nice ( reject ) instead of dumping zombies into the pit of oblivion (drop).

The new fail2ban default is:
blocktype = REJECT –reject-with icmp-port-unreachable

So, I am trying in the jail.conf file:

action  = iptables-allports[name=dnsflood, blocktype=DROP]

Took about 1 minute for the last of the zombie-hee-cans to get DROP-ped.  Something went right today.




One thought on “Zombie Bot Back-Draft?

  1. Pingback: Serious fail2ban! | ComputerMedic (dotOrg) Web Servers

Comments are closed.