dns-operations AT lists.opennicproject.org

Subject: Dns-operations mailing list

List archive

Re: [opennic-dns-operations] Concerning T2 46.252.139.27 Downtime

From: Jeff Taylor <shdwdrgn AT sourpuss.net>
To: dns-operations AT lists.opennicproject.org
Subject: Re: [opennic-dns-operations] Concerning T2 46.252.139.27 Downtime
Date: Sun, 19 Aug 2012 17:02:30 -0600

Have you looked at the code on http://wiki.opennic.glue/ddosDotPl
This script was written specifically for the amplification attack. (Sorry if we already talked about this on IRC, I'm no good at remember which names go with which nicks.)

Another method of blocking this attack is shutting off that port completely...
# iptables -I INPUT -i eth0 -p udp --sport 25345 -j DROP

On 08/19/2012 05:03 AM, Falk Husemann wrote:

Hello,

my T2 at 46.252.139.27 was offline since yesterday 11pm til today 12am.

The T2 seems to have been used in an DNS Amplification DoS which
generated too many small UDP packets to the spoofed querying client.
This took my whole cable connection down (again!).

These are the queries (had to enable query log for one minute):
query.log:19-Aug-2012 12:46:41.502 client 199.115.114.218#25345:
query: isc.org IN ANY +ED (46.252.139.27)

Here is the iptables line to stop this attack:
iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|"
--algo bm -j DROP

Suggestions/improvements welcome!

Greets,
Falk

>
> ----
> To unsubscribe, email dns-operations-unsubscribe AT lists.opennicproject.org

[opennic-dns-operations] Concerning T2 46.252.139.27 Downtime (was: Fwd: [opennic_t2_status] Tier 2 server failure notification), Falk Husemann, 08/19/2012
- Re: [opennic-dns-operations] Concerning T2 46.252.139.27 Downtime, Jeff Taylor, 08/19/2012
  - Re: [opennic-dns-operations] Concerning T2 46.252.139.27 Downtime, David Norman, 08/19/2012
- Re: [opennic-dns-operations] Concerning T2 46.252.139.27 Downtime, DarkLinkXXXX, 08/20/2012