Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DoS amp attack / Top20

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DoS amp attack / Top20

Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] DoS amp attack / Top20
  • Date: Mon, 29 Apr 2013 20:32:04 -0600

I logged the source IP's for about 8 hours one day and got around 750 unique IP's.  These were all over the globe and seemed to have no relation to each other, other than the obvious clusters in certain subnets.

Kenny, you mentioned seeing new IP's coming up after blocking the current ones, and I think I may know what happened.  When I was watching for a period of time, I noticed the same, usually around 4 source IPs attacking at once, however each IP would rotate out every 3-5 minutes for a new address.  It may not have been that the attacked detected your blocks, but rather that the source IP was simply getting rotated out at the same time you were blocking the addresses?

I've had a nice quiet week with no attacks, but unfortunately they started back up again today.  I don't know why... the packet they are sending has been blocked by iptables since February.  Obviously the person(s) running the attack are too stupid to pay attention to the effectiveness of the DNS hosts they are using.  "Gee why hasn't my attack taken down my target yet?  Oh I'm wasting all my bandwidth on DNS servers that aren't playing my game..."

On 04/29/2013 05:25 PM, Alex M (Coyo) wrote:
On 04/29/2013 04:37 PM, Guillaume Parent wrote:
The tier 2 security page shows how to trivially defeat these attacks through netfilter. It is available on the wiki.

The target is the source IP address, not

are these source ip addresses related to each other in any way?

in other words, what does rdns say about these source ip addresses?

do they make sense as an attack target?

Archive powered by MHonArc 2.6.19.

Top of Page