Re: DOS attack against DNS?

[Joe Shen <joe_hznm () yahoo com sg>]

Last saturday one of our Web server experienced a TCP
SYN attck which make the system down for four hours.
It seems there is not a good solution which could
detect & defend DoS traffic at any time.  

So, to the class ANY queries, should we only filtering
out class any queries on public cache servers ?  To my
understandings, the amplifying result could also be
reached by query type any.

Joe 


--- Alon Tirosh <j0keralpha () gmail com> wrote:

> Admitted, i did not notice the type/class
> difference. I responded as a knee
> jerk reaction, and that is my mistake.
>
> For the second part, the any query type is useful
> (when targeted at either
> your NS and/or public NS servers) to quickly alert
> to issues such as the one
> being discussed with GoDaddy and Nectartech right
> now on this list.
>
> Pick and/or set up an NS server that is TTL agnostic
> (flameArmor: this
> system is to be used for disparate up-to-date checks
> only, and I know by
> spec this is far from foolproof but its saved my ass
> a couple times in the
> past) and checks disparate roots and its useful for
> finding or alerting to
> major name system, registrar ,and provider issues
> quickly.
>
> Im diverging off-topic, im sure. gnight.
>
> On 1/17/06, william(at)elan.net <william () elan net>
> wrote:
> > Did you notice that it was class "ANY" and not
> type "ANY" that Paul noted?
> > I've never ever heard of it being used
> anywhere....
> > As for ANY query type, what do you think will
> happen when you query with
> > "ANY" to a host in a domain that is not in your
> local dns server cache?
> > And btw if it is in your dns cache, how
> predictable do you think such
> > results are going to be???
> >
> > On Tue, 17 Jan 2006, Alon Tirosh wrote:
> >
> > > Not true,. the ANY query has mutliple uses for
> consolidating multiple
> > > diagnostic queries into a single display, and
> also for diversion
> > monitoring
> > > systems on small domains or groups of same. Not
> all of us have the
> > resources
> > > (or time) of large ISPs behind us.
> > >
> > > On 15 Jan 2006 17:27:40 +0000, Paul Vixie
> <vixie () vix com> wrote:
> > > > > client xx.xx.xx.xx#6704: query: z.tn.co.za ANY
> ANY +E
> > > > class "ANY" has no purpose in the real world,
> not even for
> > debugging.  if
> > > > you see it in a query, you can assume malicious
> intent.  if you hear it
> > in
> > > > a query, you can safely ignore that query, or
> at best, map it to class
> > > > "IN".
> > > > --
> > > > Paul Vixie



        
        
                
__________________________________ 
Do you Yahoo!? 
New and Improved Yahoo! Mail - 1GB free storage! 
http://sg.whatsnew.mail.yahoo.com