I've noticed that after I've leaven the router
a few days with the DNS
relay open (big mistake!), I was receiving a stream of dummy querys
about a hundred per second.
Indeed that is a big mistake :-)
But it is good that you know that and so you can take countermeasures.
Normally after a couple of days this flood will stop, although there is
always some remaining noise from other kinds of DDoS.
E.g. systems on internet sending a DNS request like that to a resolver they
want to attack, with (one of) your address(es) as the source. The resolver
will send back the large "reply" to your system and there is nothing that
can be done about it. The source address of the packets is the system under
attack, and it is no use sending an abuse message to them because they cannot
do anything either (except blocking DNS requests from 44.x.x.x addresses, but
that could result in "problems" for legitimate users in our network).
This problem can only be solved by widespread adoption of BCP38 (source
address filtering), and the takeup is slow.
Anyway, when configuring your firewall make sure you have a "default deny"
policy and allow only the protocols that you know you are using. This is
especially true for UDP. e.g. SNMP (UDP port 161) is another attack vector
similar to what you have seen now. Don't allow SNMP from the internet.
Best is to allow only what you really need, and for protocols like NTP (UDP 123)
make sure that it is correctly configured so that it only does time replies
to internet addresses and does not allow queries except from the local network.
(queries can return much more data than the size of the query packet so they
are used in amplification attacks, time replies are the same size as the request)
Rob