Discuss mailing list

[Bersl <bersl2 AT bersl2.info>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2013 04:17 PM, Alex M (Coyo) wrote:
> On 04/29/2013 03:53 PM, mike wrote:
>> So any ideas on how to fix it?
>> 
>> The RRL patch is helping in my case, but the traffic is still
>> having a significant impact on my network. I may be forced to
>> pull the plug on OpenNIC if it goes much longer.
>> 
>> Would the dampening patch buy me anything? I'm thinking probably
>> not.
> 
> Unfortunately, I have little experience with server administration,
> and have never had the pleasure of attempting to mitigate or thwart
> an attack on server and network infrastructure I was responsible
> for, and whose attack I'd be blamed for.
> 
> I'd say the dampening patch and throttling may help, but you may
> need to pull the plug on those resolvers in the short term to
> thwart the attack upon isc.org.
> 

No need to pull the plug. I use the RRL patch w/ slip 1 (so everything
that would be blocked is simply returned as a truncated answer, which
a legit DNS client should retry over TCP), but I also explicitly block
any IN/ANY/ISC.ORG queries over UDP:

iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string
"|03697363036f72670000ff0001|" --algo kmp --to 65535 -j DROP

If one really needs that specific query against my resolvers, use TCP.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRfuj8AAoJEKDJEQNczrCUy60H/Rftz6lMOM7nVbw9bbWhUWYl
JTOrSAaRa6hMAKFJS/6Z/SyjxMsOkEIYHdoEa5lMc6AyMyLwsVYcghh4sf6nuHEW
RsnJb6cNn1B/VLJF4rkjjgv+dbvyZflqS60J/xtKQEl6N5Lh6Gz0i65yYg8jMiqa
MDmEbPg4VtAU6L69jELwHFflTAQ35yAsbPo7pBws1bUyCzFmVDCZmGyQiVdkQ5If
NrGXCALT6XGmA6OQKj/l3nPl5sSvYEdGtFXUnSFDi6oZxsArlQz/7NDYYXCHwZB3
q45x294usDZPSyhigKeNeCxCThC92c6pbYV02xYvGMmW+9g55AfeohXpqU83TE8=
=hHuN
-----END PGP SIGNATURE-----