nanog mailing list archives
Re: DOS attack against DNS?
From: Joe Shen <joe_hznm () yahoo com sg>
Date: Wed, 18 Jan 2006 01:00:36 +0800 (CST)
Last saturday one of our Web server experienced a TCP SYN attck which make the system down for four hours. It seems there is not a good solution which could detect & defend DoS traffic at any time. So, to the class ANY queries, should we only filtering out class any queries on public cache servers ? To my understandings, the amplifying result could also be reached by query type any. Joe --- Alon Tirosh <j0keralpha () gmail com> wrote:
Admitted, i did not notice the type/class difference. I responded as a knee jerk reaction, and that is my mistake. For the second part, the any query type is useful (when targeted at either your NS and/or public NS servers) to quickly alert to issues such as the one being discussed with GoDaddy and Nectartech right now on this list. Pick and/or set up an NS server that is TTL agnostic (flameArmor: this system is to be used for disparate up-to-date checks only, and I know by spec this is far from foolproof but its saved my ass a couple times in the past) and checks disparate roots and its useful for finding or alerting to major name system, registrar ,and provider issues quickly. Im diverging off-topic, im sure. gnight. On 1/17/06, william(at)elan.net <william () elan net> wrote:Did you notice that it was class "ANY" and nottype "ANY" that Paul noted?I've never ever heard of it being usedanywhere....As for ANY query type, what do you think willhappen when you query with"ANY" to a host in a domain that is not in yourlocal dns server cache?And btw if it is in your dns cache, howpredictable do you think suchresults are going to be??? On Tue, 17 Jan 2006, Alon Tirosh wrote:Not true,. the ANY query has mutliple uses forconsolidating multiplediagnostic queries into a single display, andalso for diversionmonitoringsystems on small domains or groups of same. Notall of us have theresources(or time) of large ISPs behind us. On 15 Jan 2006 17:27:40 +0000, Paul Vixie<vixie () vix com> wrote:client xx.xx.xx.xx#6704: query: z.tn.co.za ANYANY +Eclass "ANY" has no purpose in the real world,not even fordebugging. ifyou see it in a query, you can assume maliciousintent. if you hear itina query, you can safely ignore that query, orat best, map it to class"IN". -- Paul Vixie
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.whatsnew.mail.yahoo.com
Current thread:
- Re: DOS attack against DNS?, (continued)
- Re: DOS attack against DNS? Paul Vixie (Jan 16)
- Re: DOS attack against DNS? Daniel Senie (Jan 16)
- Re: DOS attack against DNS? Mark Andrews (Jan 16)
- Re: DOS attack against DNS? Paul Vixie (Jan 15)
- Re: DOS attack against DNS? bmanning (Jan 15)
- Re: DOS attack against DNS? Paul Vixie (Jan 15)
- Re: DOS attack against DNS? Mark Andrews (Jan 15)
- Re: DOS attack against DNS? bmanning (Jan 15)
- Re: DOS attack against DNS? Alon Tirosh (Jan 16)
- Re: DOS attack against DNS? william(at)elan.net (Jan 16)
- Re: DOS attack against DNS? Alon Tirosh (Jan 16)
- Re: DOS attack against DNS? Joe Shen (Jan 17)
- Re: DOS attack against DNS? Paul Vixie (Jan 17)
- Re: DOS attack against DNS? Paul Vixie (Jan 17)