Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DDOS blocking

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DDOS blocking

Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] DDOS blocking
  • Date: Wed, 03 Apr 2013 07:52:02 -0600

I'm also not sure about the +E, but take a look at the tcpdump section
of http://wiki.opennic.glue/Tier2Security and see if your output matches
what I've been seeing. I've been getting a non-stop flood of this
packet since February, which is also querying ANY from the root zone.
I've been completely dropping these packets for the past month, but the
flood still continues.

I'm starting to wonder if we should make it a policy to drop all ANY
requests? It seems that is the key factor behind all of these attacks,
and other than the servers talking between themselves, I don't know of
any use a client would have for such a query.

On 04/02/2013 11:53 PM, kennytaylor AT wrote:
> Hi all,
> I am getting hit tonight with 5-10 minute bursts of the DNS reflection
> attack. I have an iptables rate limiter in place and that seems to reduce
> the impact without adversely affecting legit traffic. There's a snippit of
> bind log below. I'm not entirely sure offhand what that query is asking
> for. I think it's asking for the ICANN root servers, but I'm not sure what
> the +E means. Is this a request that any legitimate client would ever make?
> 02-Apr-2013 22:45:25.304 client query: . IN ANY +E
> (
> 02-Apr-2013 22:45:25.304 client query: . IN ANY +E
> (
> 02-Apr-2013 22:45:25.331 client query: . IN ANY +E
> (
> 02-Apr-2013 22:45:25.332 client query: . IN ANY +E
> (
> Thanks,
> Kenny
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT

Archive powered by MHonArc 2.6.19.

Top of Page