Discuss mailing list

[David Norman <deekayen AT deekayen.net>]

I had some abusive ANY queries today. I had everything on the Tier2Security 
wiki page except the hash limit. Since I don't log, I had to tcpdump; greping 
that for ANY made the offender very obvious.

It took the ddos.pl script 1h10m to figure out what was going on a block all 
queries from the main offender. Now I've added the hash limits in iptables 
but at 50 instead of 30. I think it probably ought to go even higher than 50. 
At the rate they were querying, there's still a big difference between a high 
volume user and being part of a DoS.

On Apr 3, 2013, at 10:25 AM, Aaron J. Angel <thatoneguy AT aaronjangel.us> wrote:

> On 04/03/2013 09:52 AM, Jeff Taylor wrote:
>> I'm also not sure about the +E, but take a look at the tcpdump section
> 
> Recursion requested (+).  EDNS0 enabled (E); that is, large DNS messages.
> 
>> I'm starting to wonder if we should make it a policy to drop all ANY
>> requests?  It seems that is the key factor behind all of these attacks,
>> and other than the servers talking between themselves, I don't know of
>> any use a client would have for such a query.
> 
> This doesn't resolve the problem, it just covers it up a portion of it. 
> http://www.corecom.com/external/livesecurity/dnsamplification.htm
> 
>> On 04/02/2013 11:53 PM, kennytaylor AT runbox.com wrote:
>>> I'm not entirely sure offhand what that query is asking for.
> 
> The query (. IN ANY) is requesting all records for the root zone. As you 
> can imagine, that's a fairly hefty request to be made that often.  Likely 
> the result of the previous request (z.tn.co.za ANY ANY) being blocked by 
> name servers claiming authority for z.tn.co.za, then serving no results.  
> (Apparently, that domain had a rather large TXT record.)
> 
> 
> --------
> You are a member of the OpenNIC Discuss list. You may unsubscribe by 
> emailing discuss-unsubscribe AT lists.opennicproject.org