I am an Internet service provider ( ISP) and I am reebendo daily emails IPS of my clients generating attack.
What I 've done :
1 ) My DNS servers only respond to my clients.
2 ) In my edge router already has locks and filters in BGP.
3) Allow resquest DNS is disabled in PPPoe mikrotik servers.
From what I understand , I need to make a blocking spoofed traffic on my PPPoe servers that are responsible for authenticating and and free internet for customers.
What rules have to do for my clients do not generate attacks and also avoid entering the spamhouse the list?
e-mail:
ou appear to be running an open recursive resolver at IP address X.X.X.X that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.
Please consider reconfiguring your resolver in one or more of these ways:
To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in “allow-query”; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in “allow-query” for the server overall but setting “allow-query” to “any” for each zone)
To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)
If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.
Example DNS responses from your resolver during this attack are given below.
Date/timestamps (far left) are UTC.
When you are an ISP and you don’t understand what is written in that mail, I advise you to hire a network
expert to review your network planning and security. This is all basic stuff that any ISP should know,
preferably before they open their network for customers.
Probably the most simple and effective method would be to drop any forward traffic coming from your clients on UDP/53 and TCP/53.
This could be it.
-Chris
I’m ready ess rule to put in PPPoe servers. Would it be this?
chain=forward action=drop protocol=udp in-interface=WAN PORT router board dst-port=53 log=no log-prefix=“”
chain=forward action=drop protocol=tcp in-interface=WAN PORT router board dst-port=53 log=no log-prefix=“”
If you know which customer is participating in the DDOS attack you should warn this customer that you could block him if the problem wouldn’t be resolved.
I could not agree with you more.
I would say he is working for a ISP and the network admin just left or something and he has no one to ask in the company to help him.
His Employer is most probably someone that acts like this “Why do I need to pay someone else to fix the issue if I am already paying you.”
I get the impression that many of the WISP posters here are one-man-shops that jump in a business opportunity of installing
WiFi equipment in a rural area, but don’t have the technical background that is required to operate an ISP network.