DNS Amplification Attack  [SOLVED]

Locked
User avatar
latifolia
Posts: 42
Joined: Wed 18. Aug 2021, 09:08

DNS Amplification Attack  [SOLVED]

Post by latifolia »

Many of you may have aware of DNS amplification attack attacking our DNS server. With KeyHelp configuration many of those attack actually are already DENIED, with almost no load on CPU resources.

With almost no resources affected by this denied DNS amplification, it is somewhat unnecessary to escalate things into IP banning via IPTABLES or Fail2Ban.

The problem in fact lies within SYSLOG, lots of garbage is filling up SYSLOG like this :
client @0x7f5e9801de60 74.58.217.180#743 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied


Lots of them.

I have been able to prevent the garbage entering the logs by configuring :

1) go to /etc/rsyslog.d/
2) create a new conf file, e.g: vi /etc/rsyslog.d/11-exclude.conf
3) put this as content inside: :msg, contains, "pizzaseo.com" stop

You can also put any extra similar lines to put out any other garbage you dont want to see in SYSLOG (e.g PHP Session clean entry).

Now, either restart the SYSLOG or just restart your system. You now have cleaner version of SYSLOG.

Cheers
Locked