Discuss mailing list

[David Norman <deekayen AT deekayen.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I'm not going to put a lot of effort into hosting
ga.us.dns.opennic.glue. If the garbage continues, I'll probably just
turn Bind off. I do real business on that VM and don't really need
people tagging it as a pawn in the middle of DDoS attacks.

Adding these rules to my startup for rc.local basically broke my DNS
service. I've removed them for now, which makes me largely dependent
on ddos.pl again. Should it really take an hour or two for that to
stop this stuff?

iptables -I INPUT -p udp -m hashlimit --hashlimit-srcmask 24
- --hashlimit-mode srcip --hashlimit-upto 50/m --hashlimit-burst 10
- --hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
iptables -I INPUT -p udp -m udp --dport 53 -j DROP

On 4/6/13 11:25 PM, Kenny Taylor wrote:
> Being UDP, the source address is likely spoofed.  At least that's
> what I was seeing.  The attackers seemed to rotate through a few
> spoofed source addresses.
> 
> 
> David Norman <deekayen AT deekayen.net> wrote:
> 
>> I had some abusive ANY queries today. I had everything on the 
>> Tier2Security wiki page except the hash limit. Since I don't log,
>> I had to tcpdump; greping that for ANY made the offender very
>> obvious.
> 
>> It took the ddos.pl script 1h10m to figure out what was going on
>> a block all queries from the main offender. Now I've added the
>> hash limits in iptables but at 50 instead of 30. I think it
>> probably ought to go even higher than 50. At the rate they were
>> querying, there's still a big difference between a high volume
>> user and being part of a DoS.
> 
>> On Apr 3, 2013, at 10:25 AM, Aaron J. Angel
>> <thatoneguy AT aaronjangel.us> wrote:
> 
>>> On 04/03/2013 09:52 AM, Jeff Taylor wrote:
>>>> I'm also not sure about the +E, but take a look at the
>>>> tcpdump
>> section
>>> 
>>> Recursion requested (+).  EDNS0 enabled (E); that is, large
>>> DNS
>> messages.
>>> 
>>>> I'm starting to wonder if we should make it a policy to drop
>>>> all ANY requests?  It seems that is the key factor behind all
>>>> of these
>> attacks,
>>>> and other than the servers talking between themselves, I
>>>> don't know
>> of
>>>> any use a client would have for such a query.
>>> 
>>> This doesn't resolve the problem, it just covers it up a
>>> portion of
>> it.
>> http://www.corecom.com/external/livesecurity/dnsamplification.htm
>>>
>>>>
>> 
On 04/02/2013 11:53 PM, kennytaylor AT runbox.com wrote:
>>>>> I'm not entirely sure offhand what that query is asking
>>>>> for.
>>> 
>>> The query (. IN ANY) is requesting all records for the root
>>> zone. As
>> you can imagine, that's a fairly hefty request to be made that
>> often. Likely the result of the previous request (z.tn.co.za ANY
>> ANY) being blocked by name servers claiming authority for
>> z.tn.co.za, then serving no results.  (Apparently, that domain
>> had a rather large TXT record.)
>>> 
>>> 
>>> -------- You are a member of the OpenNIC Discuss list. You may
>>> unsubscribe by
>> emailing discuss-unsubscribe AT lists.opennicproject.org
> 
> 
> 
> 
>> -------- You are a member of the OpenNIC Discuss list. You may
>> unsubscribe by emailing 
>> discuss-unsubscribe AT lists.opennicproject.org
> 
> 
> 
> 
> -------- You are a member of the OpenNIC Discuss list. You may
> unsubscribe by emailing
> discuss-unsubscribe AT lists.opennicproject.org
> 

-----BEGIN PGP SIGNATURE-----

iQewBAEBCgAGBQJRYO7qAAoJEKPH7FVYbGrVwVs8oKDHt/ViSz82MWooiMfFi8E9
9cTm1PfHPkrr/XMO+djkQIko6xE1cNnFqK2sNycB6ZYSTginqdbRdGky6oZpqEA7
wNWnnnqO5c1T91B8v9ka4YpobRRj5lhTuGXkdstmRwDAOtW70n+yTZXxYLfIn0Dl
d/yvN3QgeymGUZFaIhSWG1Jxu71xquYWUl3Zas44q0/C1UQ9FV2MbJSomRSAwFns
ZGzqZ/xUOvvlSshSMgf2jgGJzs+SX7oyy1pcdlG/nfETRjG1221Ti7xqQHUf72Qe
6khTX3mPRfP793BR8YNppRpM2pUypyFFIkQ6uCuyeVKSJXFUToMaIOMamaXucwKZ
J9FbPdf/lbJX5sTj0HYYy6VFfQCrXk2BSCvC3nzU/evx7DtH9yrI/Ek5s8dtMfxQ
eDCR8/Muba4oVQIGoWx2uEYU85tZkwPUWU+O/CrqKgtx10P/mfEf5yvNC+hfwwZw
fSO2y7YpbQSAjiCEtzDPW1Jzfx1BnWEwvCY9ksnnxD9brHDD9sKKCuqeKLcdcs6P
rGfUCJFCv3HHoX29pHSS5ACZ9DvpRYDQSRJlYho9YZ5e4DRU0/gGhSvoAOELMz7w
w8LDsaGCQW6zgDAw7dswQz8rK/0s+Qh5edn7noBTPngLVKMlO6T6vu1lfshvdhu/
27hg9EsmgkIqrqz53s0evof/RguN4qloKcu1lw0HUxOajFBGLTSQhzfHkg2+VeWH
uVgvDu2HnOhKQv7Ep0FouRgNFR5KZEKQdGXsCUIsLVfzG5Eti5RL0Vb9aVUMfkCI
0Ck2/Wf5w59apcoStNALxyFe6GcI5BE5AYrbsh6j+1/ZbQ2LE1MUBOIZ7okWQ+NX
yG+hRZhD2mTvDou2j2OiltEIm5e0T24cLond+khtIyLsBjRTY/QYOd5sjIdmdl4T
D7+3yREgYPpTgbZBM9FTnvh4JaJmsAi2BHjnX7wv+rf/vZO5sjTayUcqI1Q6uOL5
sdDfCJP9+Tu8AWrFmuNtTFVkarDhMeaJA4uxroZERz3ekTvmSM2H5O0xFXUsfkke
YSHDL4hV41J9/zlTw8H8woWyCGc7f+QmaHWQZ0GbcokQYpIPElUYEQKu6mvzr5tl
Md5C0pmneiivUWKaj1AElKF+ScVIB/eoBJHe74D0ojBQH/h15rY3dTq4wGzg6A6i
AHvJJqOkdAS2pgYaq6cLsfHLfehX+7Z1HgfD9no4FOdexCrjLi+YPrmDXrAYlrvf
BWXer/cUiYRdopBJVvbMHaXqs09wqvB7IBrYW7D8XpmcJqNiHUkMRqhIaqvOrBcZ
dirTRvv291embBAK9Iv5sj3TSeBDFiEXKeU848GAuv+FU0MzB+WNgOLOvP5OTVpR
FfLvAW/jwASxosYKGGwxhCr0gODqgWhgjGhCmnYjcEfU36hSvsDS/LooFkb3l3+P
+R+MnZYAujGlZqB687wHq8V0QRwoSJWyIIudyL+f5rhIgBNaIkZG6IqEW9vYW5BD
bsy4+5bGRSKYq6Lef2Y2WJGXT9VxRAGYlAU90VTDQTvMdSXbfeXmc6CTOOKBH02D
+ZLExjEyy0a6pLb6nIwFEywZcWXRdu5Bw6AWkdujeRKgOemhKZJErG1RdFdLzgOM
5qEXEGExK88xZamW6vLg8crJHPsz9d0TyqtOWlY1r0z8Ck3HCBicUDVo7hPgB5fw
OF8zHu6wO0negGCBMfHxOZtxqFdBXF2OtoKIsjKpNcQnuHhhMDyIMuFcc0T6Yf2m
sjFaVm6nGkmeCsTxr9XV6mYdpQUEDc7J/yG16zErR0hI5jtFppqP+qmuho0G3Ekq
ukVVi5c3dRSjp+8HXWIH+GqU1ZOj/gFfuAatr6gd/C3e6pa79OIFRWR7GYx6Bx8Z
DexuQ2q7BABQoR9sri6lGTxcjLutUSn7+UxjIZ+a9B7K/2YmjEXlwXqRD+iCxfBV
gSgshVi5DM4b1Fip+u0SpjiUin6UdAgukktXCU6YtP5jInxJp/a5HIGCtaomuCis
oiD9o9ETg8+nfP/PhLyBX2ClUbKFVlYCGO0WzuiB5sHLH2g0xoCJcro47IemZUPV
NVCVgfIPegzqU7YWBw2AvmleuTJQElwg1CdWzsdCH0L5LPv6oIMTsdnyeDoXDAfb
7zCw0Q7CtarvTak3vFsPswA8QqYlhS/E4GP1iycV/0sMiRrwYUYiEhn0J+23yYth
c9sHWbOcxaSYMIonAf57YvRd4tlFjpZTk4Z8io4OmnwLPacl+sXNWsUBhp42WRs5
AwYtm4BQq2bvSgIuN8kYvNXbPbVYxqxrzIN6jiRZZKRhsvXW7fdVjIXtjBdaXjs+
gpZJtw7gZsmkTo7obKPC1NbvbMtnsRCmbkmDc2gf253GhxOZiIum2TywqX3OHCA8
/IuOYgE4HiG/eOwzPWrSFeYA2MAQLitXkMFMGYEAB3cHdw0a59xnfRs8cezSdXiZ
ZmHDRKpRURWG1I5VQHcj5CJKWGRQLumbPJN7Vce5F9e9iIlVXROfTAZrdNmRWwGk
SEz6DTL9pp8iReHQqeWsY+cDb79u9KgvExOAnigS0iR8fuO7jXj16sIEVs4PoC1j
YWLP
=3GDh
-----END PGP SIGNATURE-----