by sella » Mon Aug 09, 2010 10:09 pm
For those of you dealing with your nameserver being used for a DDOS attack against a remote host, which can quickly fill your logs with messages such as "named[xxxx]: client 109.72.146.154#46250: error sending response: host unreachable", you can use PHREL, as described in the above article, to block the abuse and stop the log messages. For smaller traffic nameservers, you can set a threshold of 15pps with a rate of 0 to dynamically block the majority of these attacks. Larger traffic nameservers may need to use a slightly higher threshold.
Here's an example command line for phreld to block this:
phreld -p 53 -T 15:0