The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HIgh CPU usage on named (bind)

Discussion in 'Security' started by etoppl, Jan 12, 2015.

  1. etoppl

    etoppl Registered

    Joined:
    Jan 17, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Last few months we ve noticed that our hosting servers suffer high cpu usage (even 24 cores ones)


    After examination it showe that the cause is simple: named causes high load.

    The cause was DNS DOS queries (even if the server is set up as authoritative only, and is not an open resolver)

    To fix this we managed a script that is able to recognise the attacking ip and block it via csf.


    to implement it :

    Code:
    1. install CSF (Config Server Firewall) and enable (testing=0)
    2. make a script in /root
    #touch /root/dnsddos.sh
    #vi /root/dnsddos.sh
    
    then copy/paste:
    
    #!/bin/bash
    IFS=$'\n'
    a=x.y.z
    rm -f /tmp/dnsddos.catch
    rm -f /tmp/dnsddos.count
    touch /tmp/dnsddos.count
    tcpdump -i eth0  -n -c 200 udp dst portrange 53 |cut -f3 -d' ' |cut -f1-4 -d '.' |grep -v $a |grep -v packets > /tmp/dnsddos.catch
    uniq  -c -d  /tmp/dnsddos.catch | sed -e 's/^ *//' -e 's/ *$//' > /tmp/dnsddos.count
    for i in $(cat /tmp/dnsddos.count)
            do
            c=$(echo $i |cut -f1 -d' ')
            p=$(echo $i |cut -f2 -d' ')
            if test $c -ge 60
                    then
                    /usr/sbin/csf -d $p ' DNS DDOSER'
                    fi
            done
    
    3. change a= line to something like a=192.168.0  using 3 first records of your server ip instead of 192.168.0
    4. #chmod 777 /root/dnsddos.sh
    5. edit /etc/csf/csf.conf
    and change lines below to be as :
    
    PT_LOAD = "30"
    PT_LOAD_AVG = "1"
    PT_LOAD_LEVEL = "10"
    PT_LOAD_SKIP = "900"
    PT_LOAD_ACTION = "/root/dnsddos.sh"
    
    6.#/etc/init.d/csf restart

    Now when dns ddoser will be tryng to flood you with requests the firewall autamatically block attacker ip causing load to drop dramatically.

    Well it is just 1st version of the script so feel free to improve that.


    Best Regards
    Konrad Olszewski
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,787
    Likes Received:
    665
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Thank you for taking the time to provide this script. I've moved this to our "Security" forum as it will likely receive more user-feedback and visibility here.
     
Loading...

Share This Page