discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

AW: [opennic-discuss] DoS amp attack today

From: "Uwe (ML) Kiewel" <ml AT kiewel-online.ch>
To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
Subject: AW: [opennic-discuss] DoS amp attack today
Date: Tue, 16 Apr 2013 08:52:29 +0000
Accept-language: de-CH, en-US

iptables -I INPUT -p udp -m string --hex-string "|6473686172696e67036e657400001000|" --algo bm --dport 53 -j DROP

is working for me

Von: discuss-request AT lists.opennicproject.org [discuss-request AT lists.opennicproject.org]" im Auftrag von "Uwe (ML) Kiewel [ml AT kiewel-online.ch]
Gesendet: Dienstag, 16. April 2013 08:09
An: discuss AT lists.opennicproject.org
Betreff: AW: [opennic-discuss] DoS amp attack today

same here, but no affect to cpu. query statistics for the last 24h look here

http://www.kiewel-online.de/index.php/public-dns

Uwe

Von: discuss-request AT lists.opennicproject.org [discuss-request AT lists.opennicproject.org]" im Auftrag von "Guillaume Parent [gparent AT gparent.org]
Gesendet: Dienstag, 16. April 2013 03:21
An: discuss AT lists.opennicproject.org
Betreff: [opennic-discuss] DoS amp attack today

Hey guys,

Got hit by my first semi significant DoS today, about 28 queries per second caused 4 Mbps outbound.

CPU went from 4-6% to 20%. The whole thing went on for about 4-5 hours until I blacklisted the 3 IPs involved.

They requested a massive TXT record that was on a russian server somewhere.

Anyone see something similar?

Re: [opennic-discuss] DoS amp attack today, (continued)
- AW: [opennic-discuss] DoS amp attack today, Uwe (ML) Kiewel, 04/16/2013
  - AW: [opennic-discuss] DoS amp attack today, Uwe (ML) Kiewel, 04/16/2013
- Re: [opennic-discuss] DoS amp attack today, Jeff Taylor, 04/21/2013