Recently, our network suffered from heavy DNS attack, udp flood, reflection attack..etc.
After a lots of tcpdump, capturing data from the network, and we found there are a lot of IPs from China, resolving IP from our public DNS server (actually just open for all clients only).
And because of this, they flood our international circuit. DNS reflection attack work in the way as normal name service lookup, but attacker continuously send request to DNS server, and because return IP packet contain information that make the packet size 3-5 times larger than what attacker sent us.
To prevent this happen again, we have to restrict DNS server to reply recursion request only for known networks/hosts.
# cat /etc/named.conf Continue reading