Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Today's DDoS

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Today's DDoS

Chronological Thread 
  • From: Stefan Sabolowitsch <Stefan.Sabolowitsch AT>
  • To: "<discuss AT>" <discuss AT>
  • Subject: Re: [opennic-discuss] Today's DDoS
  • Date: Thu, 28 Mar 2013 14:55:55 +0000
  • Accept-language: de-DE, en-US
  • Domainkey-signature: a=rsa-sha1; s=feltengroup_com;; c=simple; q=dns; h=from:message-id; b=KE/9LCa4F7mGYmYY89rnnhiPslSvq8BwMsRPm3Ktuqasd+gp6/5DHb8wOTZw RocxrRjpbQ8D1SQJLOnKlY9o3DFdWdL9gla4uqZoCgp3yCKZRMRVzJMo4 gl1uHTQ0Wd8X0lS3IfBgwJufP+wxdVqdmRFIaK1Ntr3ix7R+rAsrwI=;
  • Vbr-info:; mc=all;;

Hi Jeff / all
Thank you for your help but i have a good solution with DNS Dampening and a pro active IPS / FW.
Thus, all systems are stable and accessible (i hope so for the future).


Am 28.03.2013 um 15:29 schrieb Jeff Taylor <shdwdrgn AT>:

Have you looked at http://wiki.opennic.glue/Tier2Security ?
If you can post a few examples of what you're getting from tcpdump, we could try to help.  Having several example packets will tell me if the bot hitting you is using a single port, or if there is a pattern in the attack we can use to block them.  Unfortunately the log snippet you posted does not give any useful info.

On 03/28/2013 02:06 AM, Stefan Sabolowitsch wrote:
Hi all, 
I can not say that it is quiet / silent for me.
On all three DNS Servers, i've been constantly DNS attacks for about 4 weeks and this with 1 -2 k requests per second

really small example:
03/28/2013-06:13:39.134900 [Drop] [**] [1:2016016:6] ET CURRENT_EVENTS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} ->

But help me out here DNS Dampening and an pro active IPS System.


Archive powered by MHonArc 2.6.19.

Top of Page