I'll be closing TCP/53 to the Internet - NOW.
You need to close UDP/53 as well! It is widely abused for DDoS amplification, you really should not offer DNS service on internet unless you have modern software to do rate limiting etc.
Look at the poor souls who make a change to their MikroTik router (usually configuring it for PPPoE according to the directions they find on Youtube instead of according to the manual) and mistakenly open their DNS resolver on internet... they end up being abused as DDoS amplifier/reflector all the time.
We run a slave DNS server for AMPRnet as well, but: only on the 44 network.
Rob
Rob,
/I'll be closing TCP/53 to the Internet - NOW. /
You need to close UDP/53 as well! It is widely abused for DDoS amplification, you really should not offer DNS service on internet unless you have modern software to do rate limiting etc.
...I NEVER had udp/53 opened, as I do not offer DNS to the Internet, only you guys.
In addition, my firewall was blocking the SYN Floods; and I also rate limit all open ports on my ISP and AMPRNet.
It appears theses packets are coming from a 44 IP address anyway...
:-)
Thanks,
-KB3VWG
Rob,
It appears the SYN Flood are actually coming from AMPPRNet, not the Interent:
2017-06-27 13:16:16.705 3600.001 TCP 44.136.24.62:52055 -> 44.60.44.3:53 9 695 1 2017-06-27 13:16:16.705 3600.001 TCP 44.60.44.3:53 -> 44.136.24.62:52055 41 49452 1
2017-06-27 13:18:41.842 3600.004 TCP 44.136.24.62:51655 -> 44.60.44.3:53 4 306 1 2017-06-27 13:18:41.842 3600.004 TCP 44.60.44.3:53 -> 44.136.24.62:51655 28 37152 1
After closing tcp/53, this is the only host causing hits on my SYN Flood filter.
- KB3VWG
-
lleachii@aol.com -
Rob Janssen