Debian 12 ISPConfig server My syslog started growing at a spectacular rate in the past 5 days to a point is was filling the whole server disk. This is caused by millions of these type of entries: Code: 2026-02-12T15:41:55.044210+00:00 v1 named[270743]: client @0x7fce9a3c6498 218.78.140.194#38011 (ofi.com): query (cache) 'ofi.com/ANY/IN' denied (allow-query-cache did not match) The IP varies so trying to firewall it out is impossible. ofi.com is a Chinese domain and this is not it's nameserver - hence the 'not match'. It doesn't appear to be impacting the load average but the syslog expanding to fill the disk makes it an effective DDOS. I am coping at the moment by running a cronjob every hour filleting syslog of all ofi.com entries. Can any one tell me anything about this type of attack and any other remedial action I could be taking?
These hosts are probing you to see if you’re an open resolver and/or trying cache snooping and ANY-query amplification patterns. BIND is blocking them correctly. What you could try is to create a file: Code: /etc/rsyslog.d/ignore-bind-denied.conf with this content: Code: :msg, contains, "allow-query-cache did not match" stop and then run: Code: systemctl restart rsyslog This is untested though
Thanks Till. As if by magic the moment I posted the attack paused. It was expanding syslog by 5GB a day so it would have taken less than 5 days to break this server's spare space. If they restart I will test your suggestion and report back.
It did start again . Your suggestion appears tested and working ;-) Why millions of attempts from multiple servers is needed to probe for a bind misconfiguration is a mystery. Thank you.
It is most probably a amplification attack. Request packets are small, but the response to the request can be significantly larger. If the attacker spoofs the requesting IP, they can generate massive traffic to that IP. For example, the answer to the request for ofi.com is over 5000 bytes in size.
Worryingly because I have suppressed the syslog messages won't be stopping the attack continuing. Is there anything I can do to stop the feedback short of disabling BIND? - which is not an option.
Not really worrying in my opinion, as it's a failed attack. As long as you do not have bandwidth issues and your BIND can handle the load to reject the requests, then they will give up after some time.
I came across this thread because i'm also seeing DNS amplification attacks using ofi.com. The target of the attacks is the source IPs I/we see in our logs (rather than it targeting ofi.com) Solution should be to add something like this to named.conf.options. Doing so stops you being a participant in DNS amplification attacks - in this case where REFUSED responses are sent to the (spoofed) source IPs. Code: rate-limit { responses-per-second 10; errors-per-second 5; slip 0; }; I'm seeing many thousands of requests from incrementing IPs in at least 2 different /16 networks. Each one will be limited to 5 REFUSED responses. But given there are so many spoofed source IPs i've added fail2ban as well, and then banned the /16s on top of that. All the best
