Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DDOS blocking

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DDOS blocking


Chronological Thread 
  • From: Kenny Taylor <kennytaylor AT runbox.com>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] DDOS blocking
  • Date: Sat, 06 Apr 2013 20:25:29 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Being UDP, the source address is likely spoofed. At least that's what I was
seeing. The attackers seemed to rotate through a few spoofed source
addresses.


David Norman <deekayen AT deekayen.net> wrote:

>I had some abusive ANY queries today. I had everything on the
>Tier2Security wiki page except the hash limit. Since I don't log, I had
>to tcpdump; greping that for ANY made the offender very obvious.
>
>It took the ddos.pl script 1h10m to figure out what was going on a
>block all queries from the main offender. Now I've added the hash
>limits in iptables but at 50 instead of 30. I think it probably ought
>to go even higher than 50. At the rate they were querying, there's
>still a big difference between a high volume user and being part of a
>DoS.
>
>On Apr 3, 2013, at 10:25 AM, Aaron J. Angel <thatoneguy AT aaronjangel.us>
>wrote:
>
>> On 04/03/2013 09:52 AM, Jeff Taylor wrote:
>>> I'm also not sure about the +E, but take a look at the tcpdump
>section
>>
>> Recursion requested (+). EDNS0 enabled (E); that is, large DNS
>messages.
>>
>>> I'm starting to wonder if we should make it a policy to drop all ANY
>>> requests? It seems that is the key factor behind all of these
>attacks,
>>> and other than the servers talking between themselves, I don't know
>of
>>> any use a client would have for such a query.
>>
>> This doesn't resolve the problem, it just covers it up a portion of
>it. http://www.corecom.com/external/livesecurity/dnsamplification.htm
>>
>>> On 04/02/2013 11:53 PM, kennytaylor AT runbox.com wrote:
>>>> I'm not entirely sure offhand what that query is asking for.
>>
>> The query (. IN ANY) is requesting all records for the root zone. As
>you can imagine, that's a fairly hefty request to be made that often.
>Likely the result of the previous request (z.tn.co.za ANY ANY) being
>blocked by name servers claiming authority for z.tn.co.za, then serving
>no results. (Apparently, that domain had a rather large TXT record.)
>>
>>
>> --------
>> You are a member of the OpenNIC Discuss list. You may unsubscribe by
>emailing discuss-unsubscribe AT lists.opennicproject.org
>
>
>
>
>--------
>You are a member of the OpenNIC Discuss list.
>You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org

- --
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iQJDBAEBCAAtBQJRYOcoJhxLZW5ueSBUYXlsb3IgPGtlbm55dGF5bG9yQHJ1bmJv
eC5jb20+AAoJELOordj4VKFQGvQQAKvVt5bPPQZdl0LPksPMG6UuVPw8c4u/30Ui
GTaY5xaB9fLwUq9q7tlDJFsJ8270JtyukAoeNxg3geBDMvFhAnJ+odzVg7Lsl1hK
JJ76FEKf4+/WxoC+5i1Rf/vFl79LtIugqZG6P7U1lfCE6tQIjem0qQt2ZWXN4veJ
1znqUjwfiWJ/zbzQPRjdXkfvlRrVWsKuLnA/0y74eDyy1zfCZB67medujCssB+dF
BeNJIPIXtDa8nEJxWFgE1e1k97eGhyhh2CtPz82u0dIjeAzcbpqL6xO+biqbipmK
gzHIp+RvVO6fOXLZao1Sj7MGPV66G9AKHkEdx6dirrZglT/67q67KiISPrIRKfhW
MZiv3aNArfZfIMtzymmdpHFuwJbiKBBhgA2isPfxSPWYDWx8EvSEwXpVvwUGTXfo
rDKNnATjNv40TxxWDN7HCjgy81ToqmsFSRfb22BeS1XGLEXuoInqCYwv8++dtio0
tpd//twYytWqSFXO77VJvrAf9QtU34uauj6+vlPmxoApYo/f8CZK57U0sPrv89bM
y/dMiksOjoR0NTNbwVOrUgOvYu48gjHogAoXazYTYg3iWQjh1rgFIONDFdYK5oyL
wH4fr+3/QJz4BhpJAB79mcyWErORarYr3z/DDRHn9eMQZ6yMLTkCGRGinR3WP32U
LVjtLoia
=jujQ
-----END PGP SIGNATURE-----




Archive powered by MHonArc 2.6.19.

Top of Page