Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Dos attack?

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Dos attack?


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: OpenNIC discussion <discuss AT lists.opennicproject.org>
  • Subject: Re: [opennic-discuss] Dos attack?
  • Date: Fri, 09 Mar 2012 08:34:06 -0700

Sorry I'm late to the party.. but yes, the ddosBlock script is intended exactly for this sort of thing. Most of these attacks will in fact come on port 25345, however I started seeing similar instances that were hitting other port numbers. The key to identifying this type of attack is the fact that it *always* comes in on the same port number while it is running. (A normal packet would come on random port numbers.)

The current version of the script will identify this kind of attack on any port, and aimed at any target. As Julian mentioned, it must be run as the root user - others have had problems trying to run this script under sudo. Also as mentioned, you should run this script ONCE and let it form into the background using & on the command. It should be pretty easy on your cpu and memory.

If you have any problems with it, shout at me on IRC (shdwdrgn) and we'll see what needs tweaked.


On 03/08/2012 04:24 PM, Peter Green wrote:
Hi,

I am getting this line in my named log about once per second...

"08-Mar-2012 23:10:30.885 client 212.227.135.196#80: query: isc.org IN ANY +ED (83.142.229.97)"

It seems to be an extremely close match to the attack mentioned here...
http://wiki.opennicproject.org/ddosBlock

That script seems to be aimed at port 25345 where as my log seems to show port 80.

Will Jeff's script help and if so, do I simply run it from crontab every second?

I am concerned this may start to impact the websites I am hosting on that server.

I have never added this server to the public list, and wonder why it's being targeted.

I hope someone can help.

Peter



Archive powered by MHonArc 2.6.19.

Top of Page