nanog mailing list archives
Re: isprime DOS in progress
From: Nathan Ollerenshaw <chrome () stupendous net>
Date: Sat, 24 Jan 2009 10:42:13 +1100
On 24/01/2009, at 6:46 AM, Steven Lisson wrote:
Hi,I agree with seeing no traffic to/from 66.230.128.15 but am still seeing flows 'from' 66.230.160.1Regards, Steve
Hi Steve,There is at least an iptables rule you can use to drop this specific query, assuming your nameservers run linux.
http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/The bind-users mailing list suggested having the ISPs trace back the flows and find the networks emitting the spoofed packets, and have those networks implement BCP 38. While that's the 'right' solution (everyone should be doing ingress filtering, sure, impossible to argue against it), not every network out there is operated by people who give a damn.
This will work at least until the kiddies improve their scripts to query for names that actually exist.
On 24/01/2009, at 8:21 AM, Chris McDonald wrote:
We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do the same :/
Good luck with that. Right now they're targetting ISPrime, and you've just made the DoS even more effective for them. With any luck, the rest of the world will follow suit and the bad guys win! yay! :)
Short of getting the rest of the world to properly implement ingress filtering (ha, ha), I think dropping the specific packets that generate the reflected traffic is good enough for now. The load on the reflectors is minimal.
Nathan.
Current thread:
- Re: isprime DOS in progress, (continued)
- Re: isprime DOS in progress Brian Keefer (Jan 24)
- Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 24)
- RE: Tracking the DNS amplification attacks (was: isprime DOS in progress) Frank Bulk (Jan 24)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 25)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) James Hess (Jan 25)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 27)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 27)
- Re: Tracking the DNS amplification attacks (was: isprime DOS inprogress) Xaver Aerni (Jan 27)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Crist Clark (Jan 30)
- Re: isprime DOS in progress Andrew Fried (Jan 24)
- Re: isprime DOS in progress Nathan Ollerenshaw (Jan 23)
- Re: isprime DOS in progress Mark Andrews (Jan 23)
- Re: isprime DOS in progress David Andersen (Jan 25)
- Re: isprime DOS in progress Andrew Fried (Jan 25)