discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Guillaume Parent <gparent AT gparent.org>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] DoS amp attack / Top20
- Date: Thu, 2 May 2013 14:04:43 -0400
Hi,
Some updates.
Saw this query today:
02-May-2013 17:52:42.521 queries: info: client 109.3.51.194#80: query: . IN RRSIG +E (106.186.17.181)
Looks like the high school kids attacking us can read mailing lists or something. This should be pretty trivial to block but I wanted to share it in advance in case some of you hadn't seen the pattern yet.Some updates.
Saw this query today:
02-May-2013 17:52:42.521 queries: info: client 109.3.51.194#80: query: . IN RRSIG +E (106.186.17.181)
On Mon, Apr 29, 2013 at 10:32 PM, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:
I logged the source IP's for about 8 hours one day and got around 750 unique IP's. These were all over the globe and seemed to have no relation to each other, other than the obvious clusters in certain subnets.
Kenny, you mentioned seeing new IP's coming up after blocking the current ones, and I think I may know what happened. When I was watching for a period of time, I noticed the same, usually around 4 source IPs attacking at once, however each IP would rotate out every 3-5 minutes for a new address. It may not have been that the attacked detected your blocks, but rather that the source IP was simply getting rotated out at the same time you were blocking the addresses?
I've had a nice quiet week with no attacks, but unfortunately they started back up again today. I don't know why... the packet they are sending has been blocked by iptables since February. Obviously the person(s) running the attack are too stupid to pay attention to the effectiveness of the DNS hosts they are using. "Gee why hasn't my attack taken down my target yet? Oh I'm wasting all my bandwidth on DNS servers that aren't playing my game..."
On 04/29/2013 05:25 PM, Alex M (Coyo) wrote:
On 04/29/2013 04:37 PM, Guillaume Parent wrote:
The tier 2 security page shows how to trivially defeat these attacks through netfilter. It is available on the wiki.The target is the source IP address, not isc.org.
are these source ip addresses related to each other in any way?
in other words, what does rdns say about these source ip addresses?
do they make sense as an attack target?
- Re: [opennic-discuss] DoS amp attack / Top20, Guillaume Parent, 05/02/2013
- [opennic-discuss] OpenNIC Wizard [was Re: DoS amp attack / Top20], mike, 05/03/2013
Archive powered by MHonArc 2.6.19.