Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DDOS blocking

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DDOS blocking

Chronological Thread 
  • From: David Norman <deekayen AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] DDOS blocking
  • Date: Sat, 6 Apr 2013 22:11:38 -0400

I had some abusive ANY queries today. I had everything on the Tier2Security
wiki page except the hash limit. Since I don't log, I had to tcpdump; greping
that for ANY made the offender very obvious.

It took the script 1h10m to figure out what was going on a block all
queries from the main offender. Now I've added the hash limits in iptables
but at 50 instead of 30. I think it probably ought to go even higher than 50.
At the rate they were querying, there's still a big difference between a high
volume user and being part of a DoS.

On Apr 3, 2013, at 10:25 AM, Aaron J. Angel <thatoneguy AT> wrote:

> On 04/03/2013 09:52 AM, Jeff Taylor wrote:
>> I'm also not sure about the +E, but take a look at the tcpdump section
> Recursion requested (+). EDNS0 enabled (E); that is, large DNS messages.
>> I'm starting to wonder if we should make it a policy to drop all ANY
>> requests? It seems that is the key factor behind all of these attacks,
>> and other than the servers talking between themselves, I don't know of
>> any use a client would have for such a query.
> This doesn't resolve the problem, it just covers it up a portion of it.
>> On 04/02/2013 11:53 PM, kennytaylor AT wrote:
>>> I'm not entirely sure offhand what that query is asking for.
> The query (. IN ANY) is requesting all records for the root zone. As you
> can imagine, that's a fairly hefty request to be made that often. Likely
> the result of the previous request ( ANY ANY) being blocked by
> name servers claiming authority for, then serving no results.
> (Apparently, that domain had a rather large TXT record.)
> --------
> You are a member of the OpenNIC Discuss list. You may unsubscribe by
> emailing discuss-unsubscribe AT

Archive powered by MHonArc 2.6.19.

Top of Page