DDoS attack, firewall not blocking udp?
our dns server (bind) is getting hit by a botnet of over 1000 ip addresses
it completly saturates the servers line, and makes bind use about 20% of cpu power, as well as a hell of alot of ram.
when we kill bind, everything responds as usual, but as soon as we kick up bind its fine.
We use shorewall firewall on the server......
when we block port 53 UDP & TCP (even thought i know the attack is on just udp i block tcp as well) and apply the changes to the firewall..... bind still uses up resources, and the server is still un resonsive to anything (even by ip address.... as the domains would be down).
its as if shorewall doesn't even block udp connections
whereas, if we block a tcp port and try to access it, we cant, so i know it blocks tcp fine
has anyone else experienced this problem with shorewall, if so, have any suggestions on how to fix.
both our name servers are offline with this attack.... when we take bind down on both servers, the servers become responsive..... but thats useless because when dns is down our domains wont work.
if i can get it blocking udp properly, i can block the attacking ip addresses with the firewall
thanx
