Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DoS amp attack / Top20

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DoS amp attack / Top20

Chronological Thread 
  • From: Bersl <bersl2 AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] DoS amp attack / Top20
  • Date: Mon, 29 Apr 2013 16:41:26 -0500

Hash: SHA1

On 04/29/2013 04:17 PM, Alex M (Coyo) wrote:
> On 04/29/2013 03:53 PM, mike wrote:
>> So any ideas on how to fix it?
>> The RRL patch is helping in my case, but the traffic is still
>> having a significant impact on my network. I may be forced to
>> pull the plug on OpenNIC if it goes much longer.
>> Would the dampening patch buy me anything? I'm thinking probably
>> not.
> Unfortunately, I have little experience with server administration,
> and have never had the pleasure of attempting to mitigate or thwart
> an attack on server and network infrastructure I was responsible
> for, and whose attack I'd be blamed for.
> I'd say the dampening patch and throttling may help, but you may
> need to pull the plug on those resolvers in the short term to
> thwart the attack upon

No need to pull the plug. I use the RRL patch w/ slip 1 (so everything
that would be blocked is simply returned as a truncated answer, which
a legit DNS client should retry over TCP), but I also explicitly block
any IN/ANY/ISC.ORG queries over UDP:

iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string
"|03697363036f72670000ff0001|" --algo kmp --to 65535 -j DROP

If one really needs that specific query against my resolvers, use TCP.
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


Archive powered by MHonArc 2.6.19.

Top of Page