Discuss mailing list

[Killman BOFH <killman AT dkcorp.ec>]

I have 2Mbps DNS query traffic

screenshot of the attack

http://goo.gl/y2JBJ

dkcorp.ec | CEO
Enterprise Networks

Blog: unixlegion.com

GPG Key: 0xBBDC0CDE

Community: www.sle.ec

OpenNIC Project: opennic.sle.ec

IT Security - ISO 27000 - Packet Core

Phone: +593 995 956811 | +593 07 2952-763

On Thu, Apr 18, 2013 at 2:59 PM, Kenny Taylor <kennytaylor AT runbox.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I love the "BOFH" alias.  Are you the target of the DoS, or is it an amplification attack?  What kind of queries are you being hit with?

I've seen a lot of ANY queries against the root zone, some ANY queries against isc.org, an someone else was reporting huge TXT records from a Russian domain a few days ago.

Killman BOFH <killman AT dkcorp.ec> wrote:

>I'm having a denial of service attack the block 46.165.192.0/18
>
>

>*dkcorp.ec* <http://dkcorp.ec/> | *CEO*
>*Enterprise Networks*
>Blog: unixlegion.com
>GPG Key: *0xBBDC0CDE*
>Community: www.sle.ec <http://sle.ec>
>OpenNIC Project: opennic.sle.ec
>*IT Security - ISO 27000 - Packet Core*

>Phone: +593 995 956811 | +593 07 2952-763
>
>
>On Wed, Apr 17, 2013 at 3:31 PM, Alex M (Coyo) <coyo AT darkdna.net>
>wrote:
>
>>  Would these DNS dampening, rate-limiting and anti-spoofing
>techniques
>> work with PowerDNS?
>>
>> Obviously, Snort IDS, and Shoreline Firewall, SELinux and AppArmor
>are all
>> good, and disabling SU (use sudo only) and using a makejail chroot
>jail for
>> every service (including bind or pdns, whichever) would be wise,
>however
>>
>> what can you do in terms of dampening, rate-limiting and other
>> anti-amplification precautions can you take with powerdns?
>>
>>
>> On 04/17/2013 02:50 PM, Guillaume Parent wrote:
>>
>> I checked the Bind 9.8.4 (testing repo on debian) contains the rate
>> limiting patch. I will be compiling the bind9 testing package on a
>stable
>> base and testing it shortly, if the package seems to work fine I will
>make
>> it available.
>>
>> On Wed, Apr 17, 2013 at 8:29 AM, mike <mike AT pikeaero.com> wrote:
>>
>>>
>>> I have not built bind with Dampening yet, I just got the RRL patch
>>> going last night. Will try to deploy an instance of the dampening
>>> patch perhaps tonight.
>>>
>>> On 04/17/2013 04:35 AM, Stefan Sabolowitsch wrote:
>>> >
>>> > And yes, not a "DNS only solution" solves the problem alone.
>>> > Important is also a good firewall rules / protection, example
>(rate
>>> > / session limit, anti address sweeping, anti TCP / UDP flood, and
>>> > so on). A good rock solid firewall is here elementary.
>>> >
>>> > In our business we use Netscreen FW, but privately i can recommend
>>> > for an example "pfsense" http://www.pfsense.org.
>>> >
>>> >
>>> > if possible also a ids / isp system helps
>>> >
>>> > Am 16.04.13 22:57 schrieb "Jeff Taylor" unter
>>> > <shdwdrgn AT sourpuss.net>:
>>> >
>>> >> It sounds great, and for many people this would be a good
>>> >> solution... Except that from what I'm reading, the only way to
>>> >> get it is to compile the bleeding-edge BIND, which most people
>>> >> aren't going to do.
>>> >>
>>> >> On 04/16/2013 12:53 AM, Stefan Sabolowitsch wrote:
>>> >>> Hi guys. Why do you make your life not something easier?
>>> >>> rate-limit and anti-spoof are OK and important, but what really
>>> >>> helps is DNS dampening.
>>>
>>
>
>

>--------
>You are a member of the OpenNIC Discuss list.
>You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org
-----BEGIN PGP SIGNATURE-----

Version: APG v1.0.8

iQJDBAEBCAAtBQJRcFCOJhxLZW5ueSBUYXlsb3IgPGtlbm55dGF5bG9yQHJ1bmJv
eC5jb20+AAoJELOordj4VKFQ5AIQALay6pLhuv8d9jMT33iHAKxDYuPVSXBX8g1i
VhRSxR31oExw8FWv+g8rbnl5uT2j9aRYlyhS0iOSReyAhjJ4AUgirZWvo3eYf+N4
CDZ6WvOto3BYCbZ8Qxvz8DQSP0P5dz4iP0E+dWQ1SJh8JzWGomTl+QjzZNKLgcWi
3EHNtzplDCy28kRAJyS+nosc72mnJNqXPRzAZadE4gI8t72zcPyzebpjxJxs09jy
nd+O0lnT7mqSOOvhaMNhwKqmaSRS4GlgGen1aun3I5hlIrAkqQnELBDjycAUZRIk
ifpWF3DO/PGZWVBqhkowaN4wT79TeR1kP2NRPiIlWpVMX5pAG+QCe6bz+UGMqBhQ
jCZcsc8UTZq1svRVa04ycgXFTETZd8gH/rY7DanHV1BHUC67SPhWaWNfA/tMUW48
I7m0WpoDctbLT5Kh61zBrKm6mNJRbRbFlSE80aBi6MhB6HmtYn5RLIFpP4r8lgnS
2irxGGDNl5XVvWVGNitY6y2excodAtu2pN7BVbWDk01Omy63rnEODbQfiOwULTHQ
9d0nDh0QcRfazLFaONW6FEa3g6daNMmUEUxduqQEmoSNewJ9fDq/xTTgR+s8ZZp8
o95OOgyWjb55Pdh7LwLg96HuYBkLG8FBIL/fvs6O5amFUKY4N9OpzkbgM4CkrjuE
w/TW6qGc
=4JEA

-----END PGP SIGNATURE-----



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org