discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Bersl <bersl2 AT bersl2.info>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] DoS amp attack / Top20
- Date: Mon, 29 Apr 2013 16:41:26 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/29/2013 04:17 PM, Alex M (Coyo) wrote:
> On 04/29/2013 03:53 PM, mike wrote:
>> So any ideas on how to fix it?
>>
>> The RRL patch is helping in my case, but the traffic is still
>> having a significant impact on my network. I may be forced to
>> pull the plug on OpenNIC if it goes much longer.
>>
>> Would the dampening patch buy me anything? I'm thinking probably
>> not.
>
> Unfortunately, I have little experience with server administration,
> and have never had the pleasure of attempting to mitigate or thwart
> an attack on server and network infrastructure I was responsible
> for, and whose attack I'd be blamed for.
>
> I'd say the dampening patch and throttling may help, but you may
> need to pull the plug on those resolvers in the short term to
> thwart the attack upon isc.org.
>
No need to pull the plug. I use the RRL patch w/ slip 1 (so everything
that would be blocked is simply returned as a truncated answer, which
a legit DNS client should retry over TCP), but I also explicitly block
any IN/ANY/ISC.ORG queries over UDP:
iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string
"|03697363036f72670000ff0001|" --algo kmp --to 65535 -j DROP
If one really needs that specific query against my resolvers, use TCP.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJRfuj8AAoJEKDJEQNczrCUy60H/Rftz6lMOM7nVbw9bbWhUWYl
JTOrSAaRa6hMAKFJS/6Z/SyjxMsOkEIYHdoEa5lMc6AyMyLwsVYcghh4sf6nuHEW
RsnJb6cNn1B/VLJF4rkjjgv+dbvyZflqS60J/xtKQEl6N5Lh6Gz0i65yYg8jMiqa
MDmEbPg4VtAU6L69jELwHFflTAQ35yAsbPo7pBws1bUyCzFmVDCZmGyQiVdkQ5If
NrGXCALT6XGmA6OQKj/l3nPl5sSvYEdGtFXUnSFDi6oZxsArlQz/7NDYYXCHwZB3
q45x294usDZPSyhigKeNeCxCThC92c6pbYV02xYvGMmW+9g55AfeohXpqU83TE8=
=hHuN
-----END PGP SIGNATURE-----
- Re: [opennic-discuss] DoS amp attack / Top20, (continued)
- Re: [opennic-discuss] DoS amp attack / Top20, Jeff Taylor, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, kennytaylor, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Alex M (Coyo), 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, mike, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Alex M (Coyo), 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Guillaume Parent, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, mike, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Guillaume Parent, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Alex M (Coyo), 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Jeff Taylor, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Guillaume Parent, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Alex M (Coyo), 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Bersl, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, mike, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Alex M (Coyo), 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, kennytaylor, 04/29/2013
- Re: [opennic-discuss] DoS amp attack / Top20, Jeff Taylor, 04/29/2013
Archive powered by MHonArc 2.6.19.