Discuss mailing list

[The Doctor <drwho AT virtadpt.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2012 04:51 PM, Martin C wrote:

> I hope I haven't accidentally blocked the IP of an OpenNIC T1
> testing server, if I have, let me know. Otherwise, this is a heads
> up about a possible DoS attempt which as it turned out, was highly
> annoying.

For what it's worth, I've been seeing stuff like that happening for
over a month now.

A group that I work with has been noticing someone (or someones)
systematically DoSing their VPSes.  Not by flooding them off the Net
through any of the usual means, but by using up their bandwidth quotas
(an in a few cases forcing disconnection because the bandwidth bill
was so high the admin couldn't pay it (thousands of dollars or Euros
at a time for a single VPS)).  This has impacted everything from
software development to communication.  Others of us are taking our
VPSes down as a precaution.

I don't know if this matches what you're seeing or not - it might not
be - but it fits the general pattern of what we're seeing.  Are you
noticing that the attacker is trying variants of the Sloworis attack
directed at different ports (in your case, 53/TCP) and going not for
speed but just stuffing up the connection queue?

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

We are not a clone.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlCAK4sACgkQO9j/K4B7F8HmpACg2pI//uOhFyiikeI33Jq+QzxS
no8AnA0uNirgXZBzJZGJydxtqlmlITYP
=5ILZ
-----END PGP SIGNATURE-----