Discuss mailing list

[Stefan Sabolowitsch <Stefan.Sabolowitsch AT felten-group.com>]

Hi Jeff / all

Thank you for your help but i have a good solution with DNS Dampening and a pro active IPS / FW.

Thus, all systems are stable and accessible (i hope so for the future).

regards

Stefan

Am 28.03.2013 um 15:29 schrieb Jeff Taylor <shdwdrgn AT sourpuss.net>:

Have you looked at http://wiki.opennic.glue/Tier2Security ?
If you can post a few examples of what you're getting from tcpdump, we could try to help.  Having several example packets will tell me if the bot hitting you is using a single port, or if there is a pattern in the attack we can use to block them.  Unfortunately the log snippet you posted does not give any useful info.

On 03/28/2013 02:06 AM, Stefan Sabolowitsch wrote:

Hi all, 

I can not say that it is quiet / silent for me.

On all three DNS Servers, i've been constantly DNS attacks for about 4 weeks and this with 1 -2 k requests per second

really small example:

03/28/2013-06:13:39.134900 [Drop] [**] [1:2016016:6] ET CURRENT_EVENTS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 178.32.81.230:47706 -> 192.168.100.160:53

But help me out here DNS Dampening and an pro active IPS System.

regards

Stefan