Attack pi hole

Hello, i have a lot of request of m'y pi hole (in my debian 10 OVH VPS) from Russie with Domaine si "."

I will block this IP but i don't Know if the problem is elsewhere

The problem is likely that you run an open resolver. Your Pi-hole is accessible for everyone from the internet and part of a DNS amplification attack.

https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/

First step would be to take this Pi-hole offline immediately.

6 Likes

Those big . any replies are perfectly suited for DDoS-ing some poor victim:

pi@ph5b:~ $ dig . any

; <<>> DiG 9.16.22-Raspbian <<>> . any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50119
;; flags: qr rd ra; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;.                              IN      ANY

;; ANSWER SECTION:
.                       82213   IN      NS      k.root-servers.net.
.                       82213   IN      NS      h.root-servers.net.
.                       82213   IN      NS      d.root-servers.net.
.                       66122   IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.                       82213   IN      NS      i.root-servers.net.
.                       82213   IN      NS      f.root-servers.net.
.                       66122   IN      DNSKEY  256 3 8 AwEAAak/ZU9wDNQD7XTAGTDkn32UR8I6auRDekbGky+yyWKdUHmwAJv9 0YHCUTib8aVBgNgbxkeeZGRx3W4+XhMZbfUr5fMwmD3u9P2yzJpbRtjG NM/XZvzGs9HHNymz3Bp851anHZfNy6pJud265/XMKzFlAY8sMJjum0hv x/DuCDELLyhsvdfOD9rHM93UXO0bcAjvI8tjZsGI+Pfp9KdxF9vS/sAz pFXKsldix+e6xv8rRS6WPg2LAooxF+eO5DgFSilYmnyCK4VPJ7ntjD/8 m0bs128ZT1eY3oXCbojDv59lLAgrdGSbcVxQF2KHoUHDmkOC5BzG/1xR tW4v/3y4/H8=
.                       82213   IN      NS      j.root-servers.net.
.                       82213   IN      NS      b.root-servers.net.
.                       82213   IN      NS      c.root-servers.net.
.                       82213   IN      NS      a.root-servers.net.
.                       82213   IN      NS      m.root-servers.net.
.                       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2022061800 1800 900 604800 86400
.                       82213   IN      NS      l.root-servers.net.
.                       82213   IN      NS      g.root-servers.net.
.                       82213   IN      NS      e.root-servers.net.
.                       86400   IN      NSEC    aaa. NS SOA RRSIG NSEC DNSKEY
.                       86400   IN      RRSIG   NS 8 0 518400 20220701050000 20220618040000 47671 . CXmI8dPBrZhmfzXoIzN+31iMz2jljgalxjJihnHnAOELt4EZ653zRB9M b2buLOoHCXvfizrXmlUSSC/bns1YcPv8idZwklRLikY4+cHSzruUL9xN jT47bLNLfQ20JjpXUiiF7wzMofkC60k7UbhK83NpEhpEnP9vMlB+GoGf Al/yfX6JgiaKZ+TEmxJZczOXDhNMCZ88D6IvNnDxrWW95mHByVWaqsyv jJ4Xxh4VsqFHQUpWNduQcQBiuj7DPmpFX0aqShAp9+8ljLFm6egM4sJ/ 8+Fk6OROyEEInLeznkTxiYFBTZ16GE38/+NkBxbkRRqriIeCWdrs0q1b 9FwKeQ==
.                       86400   IN      RRSIG   DNSKEY 8 0 172800 20220701000000 20220610000000 20326 . pc+CCq9mgXEdLSMLQeXdlDpV+drD9jNwU/jGA18Ajck0Ov8i3u0Ucng0 hWGl8/tdtfIpqwyV1ifG4sdh+u7nYXNzNR8BDmPp1HjMumoRCu6c/aJd 9KVPqxKqkDeuCF/IzolgUW4ELSdeOlXajb+SnF3yG2DvnWZNgZT/mw/7 +8cr3Q8anPbP4sQoneFTHhSo33djoKmwqFVV1V7pygiGWb7ZU6hnIEYk vKKhvGu0uwhShkHBFXj6oTOyEnEDldXbLDcvilTSAwNnbiLZoEK1DZNx Q+jQ7uYIlP0JCKNSQoKKx+2zlklGHjkVRA+/7JjtZjIlP6uMes8Dm4ur G26JsQ==
.                       86400   IN      RRSIG   SOA 8 0 86400 20220701050000 20220618040000 47671 . Mwn0whouX5ez5TTq3KVaxPnrs4RPiuUzmwlwOld0VYjrVlIDkzEr+aQh VIZfE2PjpqaxJxVQwLDvq+yPptpFDWEJbPUvcWAAXVaPHpHTYO11JkVH FY1V86X75+Nen6vGpMAboyCvS8MQnaCh3+o98v7KaBSIuEU0ZM1aPbyj 3C4q0euYjMrtO66AvFqH9tRP/FhFXWZLg5sKnFoNMwWtBgZurdVJ5x3+ B0VBomHZ/iztx4H6oa5cF50tIOJn7Agz1gkZI7Pmp4SV4BGM7Gncfd5E 82kG83dOlzSwa6MC63E2mGfm8M6HRL26RJ4ea/kbMpOAcdvl4I0JEP2h TOUBcA==
.                       86400   IN      RRSIG   NSEC 8 0 86400 20220701050000 20220618040000 47671 . gA0dRHsbFRXM7WgLB2Ej+AuUkPl9/6L6EKBb0REpzA8W4F0psn6jgQ/y r08YoQzCZ8tJ4pmQlKaGWgGufH+WUvdnscKjaj1YWXSgTbfOMrJ2q/91 jjVkmmGmQ0e3RJEIdvmbQVulAJ9W+fTl9jnQzZzqpVbVnsCqnNqRcT9a mJ+ZKFS0NNimn7z7vkC4jIx33NVBBXDhCDGvCUyE3sRc3ejxQJ5JXhz3 VFU6u1rOkhjhIUxiY40K9X52HG0+7yfeysgDudXwtB6R2n6BwWOmFY03 DMnidKTZHldpbDJLh5RdG2gr7Cu66BQjg4jh89FKfcpHTB9fjOGACZ00 wh28pg==

;; Query time: 19 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Sat Jun 18 22:00:43 CEST 2022
;; MSG SIZE  rcvd: 2015

Thats 2015 amplified bytes that are getting reflected of from your open resolver to some poor victim.
And usually a couple of thousand bots, running amongst others on infected machines, reflect of from open resolvers to overwhelm a target victim.

4 Likes