Experimental fix for DNS DDOS attacks


As I can’t reply to the original thread here; DNS DDoS via multiple exit relays causing performance issues? - #2 by gus but I do wanted to share my quick-fix → I created this thread.

The issue is starting to get more frequent for me. So I currently have experimental restart cronjob of the unbound service on my relays. Unbound should never exceed even 10% sustained, but I’ve set it at 35% currently. If bad actors will abuse this to try to DOS me, I’ll migrate to another solution (e.g. GitHub - artikel10/surgeprotector: Block Tor Exit traffic to flooded IP addresses via ExitPolicy.) - but for now this seems fine. Either way, the attacks seem quite manual from what I can tell. When I remove the bad actor from my nodes, they start using other high bandwidth nodes of mine within 5 - 10 minutes sometimes. Some fun whack a mole. It’s also still sporadic, but frequency is increasing.

I documented it here; add experimental automatic dns ddos mitigation · cozybear-dev/ansible-tor@80c732f · GitHub

1 Like

I was more curious about how the attack would implement a DNS-based DDoS attack. After understanding the process of the attack, we will try to examine the solution.