Dns-operations mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

I agree that you can't prevent a DDoS attack, however the kind that we normally see are from folks trying to use an amplification attack on another target.  Our servers are not the target, just the vehicle for their attack.  By running my perl script, it prevents your server from becoming part of the attacks.  In an amplification attack, most of your bandwidth is used up by your own server trying to respond to the queries.  If you don't respond, the attacker is just wasting their own bandwidth, and they usually figure out that your IP is not helping them.

On 09/18/2012 07:47 AM, Abraão Caldas wrote:

There is no software solution for DDoS, it can help, but if they want the attack will fill your pipe and iptables can only help on last mile. 

2012/9/18 Brian Koontz <brian AT opennicproject.org>

On Tue, Sep 18, 2012 at 09:12:23AM -0400, Abraão Caldas wrote:
> Some bandwith, and you need to secure your server, because some people
> (that don´t have anything better to do) will DoS your server down, like
> mine server. The solution, take it down forever.

I disagree that this is the only solution.  Jeff has a DDOS script
that works well; I posted some iptable rules that utilize hashtable to
block offenders quite effectively.  With these measures in place, my
T2 server runs anywhere from 100kbit/s to 1Mbit/s on occassion.  You
can view all of my T2 traffic logs at gopher://pongonova.gopher.

  --Brian

--
OpenNIC (the sequel) co-founder and wikimaster
IRC: Freenode.net channel #opennic

----
To unsubscribe, email dns-operations-unsubscribe AT lists.opennicproject.org