dns-operations AT lists.opennicproject.org

Subject: Dns-operations mailing list

List archive

Re: [opennic-dns-operations] lot of traffic to isc.org

From: Jeff Taylor <shdwdrgn AT sourpuss.net>
To: dns-operations AT lists.opennicproject.org
Subject: Re: [opennic-dns-operations] lot of traffic to isc.org
Date: Thu, 22 Nov 2012 09:48:56 -0700

No, ddos.pl will not help for this particular attack because it has changed recently, however the iptables rule suggested was what I was going to post here. Another suggestion that will make a big impact on these attacks was suggested by Brian Koontz ("Using iptables and hashlimits to throttle DNS abuse traffic", dated 22 Aug 2012). Using both of these iptables rules together will greatly reduce or eliminate the impact of the DDoS attack, and ddos.pl will still catch the older style attacks.

In addition to the isc.org attacks, we have also seen ripe.net targeted, however I have not been able to capture a packet dump during one of those so I can add a new hex-string rule similar to the one below. If you happen to see such an attack, the following command will capture the hex dump needed...

# tcpdump -xn -i eth0 not udp src port 53 and udp dst port 53 and '(ip[2:2] != 0)' | grep -A4 'ripe.net'

Note that this will also show legitimate packets, so make sure you are actually being attacked before sending me anything. Thanks.

On 11/22/2012 02:08 AM, Steven Coutts wrote:

ddos.pl didn't help me much, but this iptables snippet someone gave me on IRC stopped them -: /sbin/iptables -I INPUT -p udp -m string --hex-string "|00000000000103697363036f726700|" --algo bm --to 65535 --dport 53 -j DROP Regards On Thursday 22 Nov 2012 01:48:17 Alex Hanselka wrote:
This is not "normal" per se. It happens fairly frequently but it is a DDoS. The ddos.pl script on the wiki should help a bit.

On Nov 22, 2012, at 1:16 AM, Stefan Sabolowitsch <Stefan.Sabolowitsch AT felten-group.com> wrote:
Hi all, I see since two weeks a high traffic to isc.org (30 - 60 query per second, IN ANY). Especially on the server ns1.lu.
Is the normal? Has anyone seen this also?
Best regards Stefan Sabolowitsch
short example:

22-Nov-2012 07:45:58.339 client 184.168.72.113#39943 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:45:58.453 client 93.170.127.96#46196 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:45:58.661 client 93.170.127.96#14231 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:00.065 client 184.168.72.113#12578 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:01.696 client 93.170.127.96#42092 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:01.786 client 184.168.72.113#10816 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:03.075 client 184.168.72.113#17827 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:03.509 client 184.168.72.113#52906 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:04.730 client 93.170.127.96#37072 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:05.233 client 184.168.72.113#1968 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:06.957 client 184.168.72.113#9331 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:07.765 client 93.170.127.96#7269 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:07.802 client 93.170.127.96#17932 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:08.680 client 184.168.72.113#62157 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:10.345 client 184.168.72.113#30779 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:10.402 client 184.168.72.113#62921 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:10.799 client 93.170.127.96#16963 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:12.125 client 184.168.72.113#6727 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:12.396 client 93.170.127.96#59885 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:13.833 client 93.170.127.96#28647 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

22-Nov-2012 07:46:13.849 client 184.168.72.113#15225 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

[opennic-dns-operations] lot of traffic to isc.org, Stefan Sabolowitsch, 11/22/2012
- Re: [opennic-dns-operations] lot of traffic to isc.org, Alex Hanselka, 11/22/2012
  - Re: [opennic-dns-operations] lot of traffic to isc.org, Steven Coutts, 11/22/2012
    - Re: [opennic-dns-operations] lot of traffic to isc.org, Jeff Taylor, 11/22/2012
      - Re: [opennic-dns-operations] lot of traffic to isc.org, Brian Koontz, 11/22/2012
      - Re: [opennic-dns-operations] lot of traffic to isc.org, Psilo, 11/22/2012
        
        Re: [opennic-dns-operations] lot of traffic to isc.org, Jeff Taylor, 11/22/2012
- Re: [opennic-dns-operations] lot of traffic to isc.org, Jeff Taylor, 11/22/2012
- <Possible follow-up(s)>
- Re: [opennic-dns-operations] lot of traffic to isc.org, Steven Coutts, 11/22/2012