Discuss mailing list

[Kenny Taylor <kennytaylor AT runbox.com>]

Looks like I'm receiving the exact same traffic here.  I'm going to try your rate limit rules for ANY queries..

Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:

I'm also not sure about the +E, but take a look at the tcpdump section
of http://wiki.opennic.glue/Tier2Security and see if your output matches
what I've been seeing.  I've been getting a non-stop flood of this
packet since February, which is also querying ANY from the root zone. 
I've been completely dropping these packets for the past month, but the
flood still continues.

I'm starting to wonder if we should make it a policy to drop all ANY
requests?  It seems that is the key factor behind all of these attacks,
and other than the servers talking between themselves, I don't know of
any use a client would have for such a query.


On 04/02/2013 11:53 PM, kennytaylor AT runbox.com wrote:

Hi all,

I am getting hit tonight with 5-10 minute bursts of the DNS reflection attack. I have an iptables rate limiter in place and that seems to reduce the impact without adversely affecting legit traffic. There's a snippit of bind log below. I'm not entirely sure offhand what that query is asking for. I think it's asking for the ICANN root servers, but I'm not sure what the +E means. Is this a request that any legitimate client would ever make?

02-Apr-2013 22:45:25.304 client 72.240.106.159#47803: query: . IN ANY +E (208.111.40.37)
02-Apr-2013 22:45:25.304 client 72.240.106.159#47803: query: . IN ANY +E (208.111.40.37)
02-Apr-2013 22:45:25.331 client 72.240.106.159#15198: query: . IN ANY +E (208.111.40.37)
02-Apr-2013 22:45:25.332 client 72.240.106.159#15198: query: . IN ANY +E (208.111.40.37)

Thanks,
Kenny


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org