Unbound DDoS / reflexion attack counter-measure?

Hey guys,

Lately, we had a few botnets that slowed down our unbounds by querying
$RANDOM.www.$website.$tokill (see dump_requestlist below for an
example). They use all the available sockets (numfiles) and then
unbound is very slow to resolve. I was wondering how can we mitigate
these kind of attacks. I tried to play with jostle-timeout but I
couldn't really see an improvement.

My setup:

server:
  verbosity: 1
  interface-automatic: yes
  outgoing-range: 950
  outgoing-num-tcp: 50
  incoming-num-tcp: 50
  so-rcvbuf: 4m
  msg-cache-size: 50m
  jostle-timeout: 1000
  rrset-cache-size: 100m
  root-hints: "named.cache"
  hide-identity: yes
  hide-version: yes
  prefetch: yes
  prefetch-key: yes
  auto-trust-anchor-file: "root.key"
  
python:
remote-control:
  control-enable: yes

Version 1.4.16
linked libs: libevent 1.4.13-stable (it uses epoll), ldns 1.6.16,
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 linked modules: validator iterator
configured for i386-redhat-linux-gnu on Fri Feb 3 11:22:53 EST 2012
with options: '--build=i386-koji-linux-gnu'
'--host=i386-koji-linux-gnu' '--target=i386-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib'
'--libexecdir=/usr/libexec' '--localstatedir=/var'
'--sharedstatedir=/usr/com' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-ldns=' '--with-libevent'
'--with-pthreads' '--with-ssl' '--disable-rpath' '--enable-debug'
'--disable-static' '--with-conf-file=/etc/unbound/unbound.conf'
'--with-pidfile=/var/run/unbound/unbound.pid' '--disable-gost'
'--enable-sha2'

# unbound-control dump_requestlistthread
# type cl name seconds module status
    0 A IN ns2.myhostadmin.net. - iterator wait for 118.123.249.112
    1 A IN n5w50.akamai.net. - iterator wait for 184.85.248.193
    2 AAAA IN ns6-193.akamaitech.net. - iterator wait for 2.22.230.193
    3 A IN ab.www.sidear.cn. 42.189186 iterator wants A IN
ns2.myhostadmin.net.
    4 A IN af.www.sidear.cn. 13.652754 iterator wants A IN
ns2.myhostadmin.net.
    5 A IN al.www.sidear.cn. 15.726925 iterator wants A IN
ns2.myhostadmin.net.
    6 A IN ap.www.sidear.cn. 35.822279 iterator wants A IN
ns2.myhostadmin.net.
    7 A IN cb.www.sidear.cn. 36.525941 iterator wants A IN
ns2.myhostadmin.net.
    8 A IN ch.www.sidear.cn. 28.784012 iterator wants A IN
ns2.myhostadmin.net.
    9 A IN ct.www.sidear.cn. 30.623194 iterator wants A IN
ns2.myhostadmin.net.
   10 A IN cx.www.sidear.cn. 42.648666 iterator wants A IN
ns2.myhostadmin.net.
   11 A IN gd.www.sidear.cn. 47.724493 iterator wants A IN
ns2.myhostadmin.net.
   12 A IN gh.www.sidear.cn. 39.788104 iterator wants A IN
ns2.myhostadmin.net.
   13 A IN id.www.sidear.cn. 35.823329 iterator wants A IN
ns2.myhostadmin.net.
   14 A IN iz.www.sidear.cn. 50.452290 iterator wants A IN
ns2.myhostadmin.net.
   15 A IN kd.www.sidear.cn. 42.652587 iterator wants A IN
ns2.myhostadmin.net.
   16 A IN kp.www.sidear.cn. 36.959272 iterator wants A IN
ns2.myhostadmin.net.
   17 A IN kx.www.sidear.cn. 36.594089 iterator wants A IN
ns2.myhostadmin.net.
   18 A IN kz.www.sidear.cn. 48.397588 iterator wants A IN
ns2.myhostadmin.net.
   19 A IN mb.www.sidear.cn. 24.006796 iterator wants A IN
ns2.myhostadmin.net.
   20 A IN mn.www.sidear.cn. 14.528836 iterator wants A IN
ns2.myhostadmin.net.
   21 A IN ql.www.sidear.cn. 6.824257 iterator wants A IN
ns2.myhostadmin.net.
   22 A IN qr.www.sidear.cn. 4.619793 iterator wants A IN
ns2.myhostadmin.net.
   23 A IN ur.www.sidear.cn. 31.598018 iterator wants A IN
ns2.myhostadmin.net.
   24 A IN wx.www.sidear.cn. 23.644625 iterator wants A IN
ns2.myhostadmin.net.
   25 A IN yf.www.sidear.cn. 22.313281 iterator wants A IN
ns2.myhostadmin.net.
   26 A IN yl.www.sidear.cn. 50.453409 iterator wants A IN
ns2.myhostadmin.net.
   27 A IN www.huffingtonpost.com. 0.002785 iterator wait for
204.74.109.1 28 A IN apch.www.sidear.cn. 36.480382 iterator wants A
IN ns2.myhostadmin.net.
   29 A IN atoh.www.sidear.cn. 51.597774 iterator wants A IN
ns2.myhostadmin.net.
   30 A IN azcn.www.sidear.cn. 7.601601 iterator wants A IN
ns2.myhostadmin.net.
   31 A IN ctex.www.sidear.cn. 48.464616 iterator wants A IN
ns2.myhostadmin.net.
   32 A IN grkv.www.sidear.cn. 24.789270 iterator wants A IN
ns2.myhostadmin.net.
   33 A IN ibgx.www.sidear.cn. 34.850291 iterator wants A IN
ns2.myhostadmin.net.
   34 A IN ixcn.www.sidear.cn. 7.752019 iterator wants A IN
ns2.myhostadmin.net.
   35 A IN kfwb.www.sidear.cn. 23.526017 iterator wants A IN
ns2.myhostadmin.net.
   36 A IN kvah.www.sidear.cn. 1.452977 iterator wants A IN
ns2.myhostadmin.net.
   37 A IN mbqf.www.sidear.cn. 34.851145 iterator wants A IN
ns2.myhostadmin.net.
   38 A IN mjcn.www.sidear.cn. 7.603391 iterator wants A IN
ns2.myhostadmin.net.
   39 A IN ofqr.www.sidear.cn. 39.115637 iterator wants A IN
ns2.myhostadmin.net.
   40 A IN qzen.www.sidear.cn. 40.258983 iterator wants A IN
ns2.myhostadmin.net.
   41 A IN svkd.www.sidear.cn. 4.457772 iterator wants A IN
ns2.myhostadmin.net.
   42 A IN utgn.www.sidear.cn. 4.453644 iterator wants A IN
ns2.myhostadmin.net.
   43 A IN wngt.www.sidear.cn. 7.761654 iterator wants A IN
ns2.myhostadmin.net.
   44 A IN wrur.www.sidear.cn. 36.476068 iterator wants A IN
ns2.myhostadmin.net.
   45 A IN wxwj.www.sidear.cn. 40.300454 iterator wants A IN
ns2.myhostadmin.net.
   46 A IN yjyl.www.sidear.cn. 1.453848 iterator wants A IN
ns2.myhostadmin.net.
   47 A IN arqhmt.www.sidear.cn. 17.369252 iterator wants A IN
ns2.myhostadmin.net.
   48 A IN ebmpwj.www.sidear.cn. 30.374737 iterator wants A IN
ns2.myhostadmin.net.
   49 A IN efqnwr.www.sidear.cn. 6.852859 iterator wants A IN
ns2.myhostadmin.net.
   50 A IN ejuhkl.www.sidear.cn. 38.135769 iterator wants A IN
ns2.myhostadmin.net.
   51 A IN elejgp.www.sidear.cn. 22.328630 iterator wants A IN
ns2.myhostadmin.net.
   52 A IN ensrgj.www.sidear.cn. 41.439056 iterator wants A IN
ns2.myhostadmin.net.
   53 A IN evofml.www.sidear.cn. 8.495929 iterator wants A IN
ns2.myhostadmin.net.
   54 A IN klcxup.www.sidear.cn. 47.810884 iterator wants A IN
ns2.myhostadmin.net.
   55 A IN knahsr.www.sidear.cn. 17.327300 iterator wants A IN
ns2.myhostadmin.net.
   56 A IN mfenyb.www.sidear.cn. 8.225055 iterator wants A IN
ns2.myhostadmin.net.
   57 A IN ohmjyb.www.sidear.cn. 6.496341 iterator wants A IN
ns2.myhostadmin.net.
   58 A IN ovifsx.www.sidear.cn. 2.577618 iterator wants A IN
ns2.myhostadmin.net.
   59 A IN qbsnet.www.sidear.cn. 14.002211 iterator wants A IN
ns2.myhostadmin.net.
   60 A IN qdebir.www.sidear.cn. 2.579080 iterator wants A IN
ns2.myhostadmin.net.
   61 A IN qjstov.www.sidear.cn. 6.004333 iterator wants A IN
ns2.myhostadmin.net.
   62 A IN qtczod.www.sidear.cn. 8.235214 iterator wants A IN
ns2.myhostadmin.net.
   63 A IN sfgtuj.www.sidear.cn. 8.491116 iterator wants A IN
ns2.myhostadmin.net.
   64 A IN shsnif.www.sidear.cn. 6.851626 iterator wants A IN
ns2.myhostadmin.net.
   65 A IN spizir.www.sidear.cn. 14.050631 iterator wants A IN
ns2.myhostadmin.net.
   66 A IN uhwzed.www.sidear.cn. 27.213915 iterator wants A IN
ns2.myhostadmin.net.
   67 A IN utajir.www.sidear.cn. 38.068550 iterator wants A IN
ns2.myhostadmin.net.
   68 A IN wfankt.www.sidear.cn. 30.301681 iterator wants A IN
ns2.myhostadmin.net.
   69 A IN wxsxwl.www.sidear.cn. 41.365671 iterator wants A IN
ns2.myhostadmin.net.
   70 A IN ahangded.www.sidear.cn. 29.609808 iterator wants A IN
ns2.myhostadmin.net.
   71 A IN ajilujyl.www.sidear.cn. 50.807512 iterator wants A IN
ns2.myhostadmin.net.
   72 A IN ajqzcrop.www.sidear.cn. 51.094238 iterator wants A IN
ns2.myhostadmin.net.
   73 A IN anszsfcv.www.sidear.cn. 50.455123 iterator wants A IN
ns2.myhostadmin.net.
   74 A IN aritqlyf.www.sidear.cn. 50.317049 iterator wants A IN
ns2.myhostadmin.net.
   75 A IN cfypwtmd.www.sidear.cn. 9.827067 iterator wants A IN
ns2.myhostadmin.net.
   76 A IN clatwtsb.www.sidear.cn. 42.653462 iterator wants A IN
ns2.myhostadmin.net.
   77 A IN gxovkjan.www.sidear.cn. 32.918413 iterator wants A IN
ns2.myhostadmin.net.
   78 A IN qbqpupwp.www.sidear.cn. 47.787873 iterator wants A IN
ns2.myhostadmin.net.
   79 A IN qvofqbwt.www.sidear.cn. 17.846959 iterator wants A IN
ns2.myhostadmin.net.
   80 A IN qxgxevcd.www.sidear.cn. 41.909531 iterator wants A IN
ns2.myhostadmin.net.
   81 A IN utclclep.www.sidear.cn. 51.050237 iterator wants A IN
ns2.myhostadmin.net.
   82 A IN uzetiper.www.sidear.cn. 39.971235 iterator wants A IN
ns2.myhostadmin.net.
   83 A IN wduxyzyz.www.sidear.cn. 7.460363 iterator wants A IN
ns2.myhostadmin.net.
   84 A IN wfkpqfkf.www.sidear.cn. 47.733132 iterator wants A IN
ns2.myhostadmin.net.
   85 A IN wvczepkp.www.sidear.cn. 50.092583 iterator wants A IN
ns2.myhostadmin.net.
   86 A IN ylyrghid.www.sidear.cn. 41.605773 iterator wants A IN
ns2.myhostadmin.net.
   87 A IN ytidermv.www.sidear.cn. 9.828912 iterator wants A IN
ns2.myhostadmin.net.
   88 A IN ajkrutsryb.www.sidear.cn. 53.798360 iterator wants A IN
ns2.myhostadmin.net.
   89 A IN arqjgbgjin.www.sidear.cn. 15.645930 iterator wants A IN
ns2.myhostadmin.net.
   90 A IN cpidahmvqt.www.sidear.cn. 7.909781 iterator wants A IN
ns2.myhostadmin.net.
   91 A IN ehitofszoh.www.sidear.cn. 51.570466 iterator wants A IN
ns2.myhostadmin.net.
   92 A IN epghgjobyn.www.sidear.cn. 49.514039 iterator wants A IN
ns2.myhostadmin.net.
   93 A IN gbovejqbir.www.sidear.cn. 51.530852 iterator wants A IN
ns2.myhostadmin.net.
   94 A IN gripcnujkv.www.sidear.cn. 15.703299 iterator wants A IN
ns2.myhostadmin.net.
   95 A IN ijoxyribqv.www.sidear.cn. 22.093370 iterator wants A IN
ns2.myhostadmin.net.
   96 A IN ipkjwzgbsf.www.sidear.cn. 18.951809 iterator wants A IN
ns2.myhostadmin.net.
   97 A IN ivenmtylwn.www.sidear.cn. 51.300647 iterator wants A IN
ns2.myhostadmin.net.
   98 A IN krqvojmngv.www.sidear.cn. 10.421760 iterator wants A IN
ns2.myhostadmin.net.
   99 A IN mbwrinyjsr.www.sidear.cn. 27.818190 iterator wants A IN
ns2.myhostadmin.net.
100 A IN mfaperuzwj.www.sidear.cn. 10.417978 iterator wants A IN
ns2.myhostadmin.net.
101 A IN mlgpctypiv.www.sidear.cn. 7.884987 iterator wants A IN
ns2.myhostadmin.net.
102 A IN oxubapuzuf.www.sidear.cn. 22.094394 iterator wants A IN
ns2.myhostadmin.net.
103 A IN ozwxqfylkb.www.sidear.cn. 27.816673 iterator wants A IN
ns2.myhostadmin.net.
104 A IN srufqnonof.www.sidear.cn. 53.799629 iterator wants A IN
ns2.myhostadmin.net.
105 A IN upypcxurmb.www.sidear.cn. 19.002303 iterator wants A IN
ns2.myhostadmin.net.
106 A IN ynuzgzyzix.www.sidear.cn. 39.295484 iterator wants A IN
ns2.myhostadmin.net.
107 A IN ypexwpcxyn.www.sidear.cn. 50.920139 iterator wants A IN
ns2.myhostadmin.net.
108 A IN bvegojzxyzi.www.sidear.cn. 19.975944 iterator wants A IN
ns2.myhostadmin.net.
109 A IN ehbzbczqepm.www.sidear.cn. 14.415002 iterator wants A IN
ns2.myhostadmin.net.
110 A IN givnjwjnphi.www.sidear.cn. 46.720398 iterator wants A IN
ns2.myhostadmin.net.
111 A IN gonnhwgbnzl.www.sidear.cn. 42.720044 iterator wants A IN
ns2.myhostadmin.net.
112 A IN gslqbyafiqv.www.sidear.cn. 42.716279 iterator wants A IN
ns2.myhostadmin.net.
113 A IN hfptiqnjkrn.www.sidear.cn. 49.709853 iterator wants A IN
ns2.myhostadmin.net.
114 A IN hnpmvhynqhj.www.sidear.cn. 47.204509 iterator wants A IN
ns2.myhostadmin.net.
115 A IN jmxigigifrw.www.sidear.cn. 8.069125 iterator wants A IN
ns2.myhostadmin.net.
116 A IN kaxlfwkphnh.www.sidear.cn. 38.470971 iterator wants A IN
ns2.myhostadmin.net.
117 A IN kdgyfqmfbyk.www.sidear.cn. 8.068407 iterator wants A IN
ns2.myhostadmin.net.
118 A IN lskvlbsiwnz.www.sidear.cn. 27.452383 iterator wants A IN
ns2.myhostadmin.net.
119 A IN mjrhfnruxkr.www.sidear.cn. 27.518935 iterator wants A IN
ns2.myhostadmin.net.
120 A IN nvjifxlrdia.www.sidear.cn. 49.635749 iterator wants A IN
ns2.myhostadmin.net.
121 A IN qfwiowmysds.www.sidear.cn. 14.490697 iterator wants A IN
ns2.myhostadmin.net.
122 A IN rvjgiygcvtd.www.sidear.cn. 47.937117 iterator wants A IN
ns2.myhostadmin.net.
123 A IN udghnznzesb.www.sidear.cn. 24.854974 iterator wants A IN
ns2.myhostadmin.net.
124 A IN ybxikrfllfd.www.sidear.cn. 19.975561 iterator wants A IN
ns2.myhostadmin.net.
125 A IN zdpcorkvvwu.www.sidear.cn. 48.517597 iterator wants A IN
ns2.myhostadmin.net.
126 A IN anmdovchgxah.www.sidear.cn. 17.186747 iterator wants A IN
ns2.myhostadmin.net.
127 A IN anofylgdybuf.www.sidear.cn. 25.255537 iterator wants A IN
ns2.myhostadmin.net.
128 A IN clmbmpsbular.www.sidear.cn. 52.650671 iterator wants A IN
ns2.myhostadmin.net.
129 A IN ebgpajyfazev.www.sidear.cn. 41.587735 iterator wants A IN
ns2.myhostadmin.net.
130 A IN elarevyvobwl.www.sidear.cn. 49.360026 iterator wants A IN
ns2.myhostadmin.net.
131 A IN etsfkzcfgdix.www.sidear.cn. 15.725886 iterator wants A IN
ns2.myhostadmin.net.
132 A IN ezohqjmvadub.www.sidear.cn. 34.865704 iterator wants A IN
ns2.myhostadmin.net.
133 A IN gbkfcpsjgheb.www.sidear.cn. 41.515665 iterator wants A IN
ns2.myhostadmin.net.
134 A IN gpedmhabazor.www.sidear.cn. 54.426431 iterator wants A IN
ns2.myhostadmin.net.
135 A IN grkjmdkvmvkb.www.sidear.cn. 17.520398 iterator wants A IN
ns2.myhostadmin.net.
136 A IN ihaxozupcfqf.www.sidear.cn. 17.184805 iterator wants A IN
ns2.myhostadmin.net.
137 A IN inanyxebozaz.www.sidear.cn. 51.762954 iterator wants A IN
ns2.myhostadmin.net.
138 A IN inkrsbonapcd.www.sidear.cn. 19.425085 iterator wants A IN
ns2.myhostadmin.net.
139 A IN kfkvibcpijap.www.sidear.cn. 19.474776 iterator wants A IN
ns2.myhostadmin.net.
140 A IN kpijcbejencb.www.sidear.cn. 13.030587 iterator wants A IN
ns2.myhostadmin.net.
141 A IN kvexsfivyjet.www.sidear.cn. 41.586191 iterator wants A IN
ns2.myhostadmin.net.
142 A IN mhmfwvmbqhaz.www.sidear.cn. 7.046275 iterator wants A IN
ns2.myhostadmin.net.
143 A IN mhutgbevgfsx.www.sidear.cn. 28.634404 iterator wants A IN
ns2.myhostadmin.net.
144 A IN ohgzqjyzubwv.www.sidear.cn. 28.570450 iterator wants A IN
ns2.myhostadmin.net.
145 A IN ohirihyhktaj.www.sidear.cn. 49.253445 iterator wants A IN
ns2.myhostadmin.net.
146 A IN ojwvydqjopaj.www.sidear.cn. 17.477149 iterator wants A IN
ns2.myhostadmin.net.
147 A IN otavsrihgvsh.www.sidear.cn. 7.155225 iterator wants A IN
ns2.myhostadmin.net.
148 A IN otgbmdezsbgn.www.sidear.cn. 23.643597 iterator wants A IN
ns2.myhostadmin.net.
149 A IN qdelkjstgnkt.www.sidear.cn. 22.390590 iterator wants A IN
ns2.myhostadmin.net.
150 A IN qhwpkzubelil.www.sidear.cn. 23.614125 iterator wants A IN
ns2.myhostadmin.net.
151 A IN stgvmvmxylex.www.sidear.cn. 15.724926 iterator wants A IN
ns2.myhostadmin.net.
152 A IN ubovszyvmrux.www.sidear.cn. 21.482549 iterator wants A IN
ns2.myhostadmin.net.
153 A IN wrmjcdalexcj.www.sidear.cn. 25.321208 iterator wants A IN
ns2.myhostadmin.net.
154 A IN wrqnmnqfuduv.www.sidear.cn. 52.556483 iterator wants A IN
ns2.myhostadmin.net.
155 A IN ybixkdqxklqv.www.sidear.cn. 28.653361 iterator wants A IN
ns2.myhostadmin.net.
156 A IN almhihcrwbafwv.www.sidear.cn. 24.786379 iterator wants A IN
ns2.myhostadmin.net.
157 A IN averargrgbuvkl.www.sidear.cn. 50.474760 iterator wants A IN
ns2.myhostadmin.net.
158 A IN gbsngvgrmvejwb.www.sidear.cn. 24.764540 iterator wants A IN
ns2.myhostadmin.net.
159 A IN glctkrgdojwpsb.www.sidear.cn. 53.031199 iterator wants A IN
ns2.myhostadmin.net.
160 A IN ivglifkperwpgv.www.sidear.cn. 29.038691 iterator wants A IN
ns2.myhostadmin.net.
161 A IN kfevwzclwdmdoh.www.sidear.cn. 24.575344 iterator wants A IN
ns2.myhostadmin.net.
162 A IN krudkncrshifyf.www.sidear.cn. 10.024796 iterator wants A IN
ns2.myhostadmin.net.
163 A IN qtcfonetwfmfif.www.sidear.cn. 41.786544 iterator wants A IN
ns2.myhostadmin.net.
164 A IN sbojifsxmvqnkv.www.sidear.cn. 42.592631 iterator wants A IN
ns2.myhostadmin.net.
165 A IN snencdanutynkd.www.sidear.cn. 53.121954 iterator wants A IN
ns2.myhostadmin.net.
166 A IN ujyrqlahmzwngr.www.sidear.cn. 29.111417 iterator wants A IN
ns2.myhostadmin.net.
167 A IN uvonilcvcjqhax.www.sidear.cn. 24.572564 iterator wants A IN
ns2.myhostadmin.net.
168 A IN wpktklalgxqfid.www.sidear.cn. 22.094554 iterator wants A IN
ns2.myhostadmin.net.
169 A IN wrolwvihwpcfqv.www.sidear.cn. 20.213483 iterator wants A IN
ns2.myhostadmin.net.
170 A IN ybkhyncjkjmdml.www.sidear.cn. 20.214726 iterator wants A IN
ns2.myhostadmin.net.
171 A IN fbcdn-profile-a.akamaihd.net. - iterator wait for
2.22.230.129 172 A IN abupkvgrubmrwniv.www.sidear.cn. 30.228467
iterator wants A IN ns2.myhostadmin.net.
173 A IN ebgxexmtytmnczol.www.sidear.cn. 30.150206 iterator wants A
IN ns2.myhostadmin.net.
174 A IN enqlufapqlitqdif.www.sidear.cn. 6.351402 iterator wants A
IN ns2.myhostadmin.net.
175 A IN ghwdqjexkrkpwlwf.www.sidear.cn. 26.862038 iterator wants A
IN ns2.myhostadmin.net.
176 A IN gnchgvqxkrsvkfwn.www.sidear.cn. 3.332469 iterator wants A
IN ns2.myhostadmin.net.
177 A IN ifebafwtyfopyhkb.www.sidear.cn. 53.976731 iterator wants A
IN ns2.myhostadmin.net.
178 A IN ilqvcbklgrqvixin.www.sidear.cn. 3.034479 iterator wants A
IN ns2.myhostadmin.net.
179 A IN itqzydqpanubkncj.www.sidear.cn. 19.094262 iterator wants A
IN ns2.myhostadmin.net.
180 A IN ivwvqpczcfijeton.www.sidear.cn. 47.536110 iterator wants A
IN ns2.myhostadmin.net.
181 A IN oharytojsnatcnqr.www.sidear.cn. 12.400879 iterator wants A
IN ns2.myhostadmin.net.
182 A IN qxenmhizsrqvuhsp.www.sidear.cn. 6.642887 iterator wants A
IN ns2.myhostadmin.net.
183 A IN shqlgzyjinmnobon.www.sidear.cn. 26.924261 iterator wants A
IN ns2.myhostadmin.net.
184 A IN ufkhupcpgjqlqreh.www.sidear.cn. 47.538700 iterator wants A
IN ns2.myhostadmin.net.
185 A IN yfkzmnshejazefwh.www.sidear.cn. 25.165260 iterator wants A
IN ns2.myhostadmin.net.
186 A IN ynkpmvmnodclklob.www.sidear.cn. 7.818328 iterator wants A
IN ns2.myhostadmin.net.
187 A IN fbcdn-sphotos-g-a.akamaihd.net. - iterator wait for
61.213.146.4

Any ideas or suggestions are welcome.
Cheers,
Thomas

If your server does not need to be open to the world, you could restrict queries to the subnets you control by adding “access-control: / allow”.

Hi,

If your server does not need to be open to the world, you could restrict
queries to the subnets you control by adding "access-control:
<subnet>/<mask> allow".

I do have access-control lines but because I had so many I removed them for clarity but I forgot to keep a few. As an ISP, we have customers that have obviously malware running on their networks/hosts we cannot control.

So my config actually looks like this :

server:
         verbosity: 1
         interface-automatic: yes
         outgoing-range: 950
         outgoing-num-tcp: 50
         incoming-num-tcp: 50
         so-rcvbuf: 4m
         msg-cache-size: 50m
         jostle-timeout: 1000
         rrset-cache-size: 100m
         root-hints: "named.cache"
         access-control: 127.0.0.0/8 allow
         access-control: ::1 allow
         access-control: 2407:6800:xx:xx::/64 allow
         access-control: 192.168.0.0/16 allow
         access-control: 123.xxx.xxx.xxx/17 allow
         [..]
         hide-identity: yes
         hide-version: yes
         prefetch: yes
         prefetch-key: yes
         auto-trust-anchor-file: "root.key"

python:
remote-control:
         control-enable: yes

Sorry for the oversight.

Thomas

Hi,

A countermeasure would be just blackholing "sidear.cn".

# queries for sidear.cn is just dropped and generates no answer.
local-zone: "sidear.cn" deny

- or -

# queries for sidear.cn returns REFUSED
local-zone: "sidear.cn" refuse

And increasing these params would mitigate this kind of attacks:

num-queries-per-thread
outgoing-range
so-rcvbuf
so-sndbuf

"Howto Optimise" document will help.
http://unbound.nlnetlabs.nl/documentation/howto_optimise.html

Hello all,

we have exactly have the same issue. Being ISP with thousands of misconfigured clients with open resolvers in their DSL modems (which you even can not fix because if buggy firmware) you can not simply cut them off. We were using PowerDNS in the past and when these attack started we migrated completely to Unbound.

Unbound is much more resistant to such attack nevertheless in order to get rid of it we are doing following using a script:

• query Unbound for running queries every minute using unbound-control

dump_requestlist

• count queries for every 2nd or 3rd leveldomain

• if there is more queries than threshold for a domain we compare the domain with alexa list http://www.alexa.com/topsites

• if there is a a match such entry is ignored

• if not such domain is under attack and we create local zone for sending REFUSE

We do it every minute. It is not perfect but after about 4 moths we had just about 2-3 false positives. We have 8 servers behind LVS and since then we have no problems any more.

Ales