dns-operations AT lists.opennicproject.org

Subject: Dns-operations mailing list

List archive

AW: [opennic-dns-operations] request load (requests per second)

From: "Uwe (ML) Kiewel" <ml AT kiewel-online.ch>
To: "dns-operations AT lists.opennicproject.org" <dns-operations AT lists.opennicproject.org>
Subject: AW: [opennic-dns-operations] request load (requests per second)
Date: Tue, 25 Sep 2012 08:31:50 +0000
Accept-language: de-CH, en-US

cool script. Thanks!

Von: dns-operations-request AT lists.opennicproject.org [dns-operations-request AT lists.opennicproject.org]" im Auftrag von "Jeff Taylor [shdwdrgn AT sourpuss.net]
Gesendet: Montag, 24. September 2012 18:04
Bis: dns-operations AT lists.opennicproject.org
Betreff: Re: [opennic-dns-operations] request load (requests per second)

You are being DDOS'ed. The query for ANY at isc.org accounts for about 95% of the attacks you will see.

Grab a copy of this script: http://wiki.opennic.glue/ddosDotPl
You may need to adjust NETMASK, and in rare cases CHAIN. If you have a dedicated firewall, run the script from there, othewise run it on the server that you run your T2 on. The script needs to be run as root (sudo *might* work, but has not been tested).

Once running, you can view what has been blocked by looking at the file /root/ddos.dns. If you want to watch the activity in realtime, change DEBUG to 1 and run the script again.

This script tries to block against a few different types of attacks we have seen. For even more protection, also look into the email Brian Koontz sent to the list on 8/22 ("Using iptables and hashlimits to throttle DNS abuse traffic"). Running both the throttling rules and ddos.pl should keep the attacks down to very manageable levels without affecting legitimate DNS queries.

On 09/24/2012 05:56 AM, Uwe (ML) Kiewel wrote:

here is the link: http://zabbix.kiewel-online.ch/charts.php?ddreset=1&sid=96adf76bc4db12bf

Von: dns-operations-request AT lists.opennicproject.org [dns-operations-request AT lists.opennicproject.org]" im Auftrag von "Uwe (ML) Kiewel [ml AT kiewel-online.ch]
Gesendet: Montag, 24. September 2012 13:55
Bis: dns-operations AT lists.opennicproject.org
Betreff: [opennic-dns-operations] request load (requests per second)

Hi

dou you know your requests per second for your T1 or T2 servers?

I have round about 6 queries per second. About 4-5 queries are some stupid stuff (requesting ANY for isc.org ). A couple of weeks ago, I had about 200 queries per second. A web provicer located in France was using my T2 server.

An 5 minute updated view you will find here:

[opennic-dns-operations] request load (requests per second), Uwe (ML) Kiewel, 09/24/2012
- AW: [opennic-dns-operations] request load (requests per second), Uwe (ML) Kiewel, 09/24/2012
  - Re: [opennic-dns-operations] request load (requests per second), Jeff Taylor, 09/24/2012
    - AW: [opennic-dns-operations] request load (requests per second), Uwe (ML) Kiewel, 09/25/2012
    - Re: [opennic-dns-operations] request load (requests per second), Hunter 9999, 09/25/2012
      - Re: [opennic-dns-operations] request load (requests per second), Zach Gibbens, 09/30/2012