dns-operations AT lists.opennicproject.org

Subject: Dns-operations mailing list

List archive

Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!

From: Abraão Caldas <abraaocaldas AT gmail.com>
To: dns-operations AT lists.opennicproject.org
Subject: Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!
Date: Thu, 12 Dec 2013 17:13:23 -0400

Anyone can recommend some tool to make a Web Live Status of Bind server (how much requests, top ip requests , etc....)

2013/12/12 Jeff Taylor <shdwdrgn AT sourpuss.net>

One way you can usually tell if you are being attacked, or if someone is just hogging all your bandwidth -- try blocking the IP's that are generating all the traffic. Nearly all of the attacks I have seen in the last year will rotate the IP addresses they attack from (see below) so if you block one set of addresses, you will see a new set attacking you within a few minutes. In the case from yesterday, the IP addresses were blocked, and did not change. This made it easy for me to stop the flow of traffic, but it also made me look closer at what was actually happening.

The biggest problem for us with DNS attacks is that the attacker does not need to actually receive confirmation of his packets. He is able to send spoofed UDP packets at very little cost to himself. Unfortunately this also means that we, as administrators, have very little that we can do to track down the *actual* source of the attacks. If anyone were to ever come up with a method of tracking spoofed IPs back to their source, you would make the world of network administration a much happier place!

On 12/12/2013 09:03 AM, Hospedaje Web y Servidores Dedicados wrote:

would be great,

to put online again my 10 servers.

Ing. Alejandro M.
Hospedaje Web y Servidores Dedicados
http://www.dedicados.com.mx
------
correo / msn: ventas AT dedicados.com.mx
skype: dedicados
------
El 12/12/2013 08:53 a.m., Jeff Taylor escribió:

Actually the person said he would stop running his crawler with opennic servers, so you could probably remove the entire block and find it is still working ok.

On 12/12/2013 07:09 AM, Hospedaje Web y Servidores Dedicados wrote:

Is for test first, seems to work ok.

Ing. Alejandro M.
Hospedaje Web y Servidores Dedicados
http://www.dedicados.com.mx
------
correo / msn:ventas AT dedicados.com.mx
skype: dedicados
------
El 12/12/2013 03:09 a. m., Guillaume Parent escribió:

Please do not ban whole countries to block this, that is a ridiculous overreaction. He just gave you a list - use it.

On Wed, Dec 11, 2013 at 11:18 PM, Hospedaje Web y Servidores Dedicados <ventas AT dedicados.com.mx <mailto:ventas AT dedicados.com.mx>> wrote:

Well, im going to start with that, and if all the load goes off,
i remove the country block, and add only those ips =)

Ing. Alejandro M.
Hospedaje Web y Servidores Dedicados
http://www.dedicados.com.mx
------
correo / msn: ventas AT dedicados.com.mx
<mailto:ventas AT dedicados.com.mx>
skype: dedicados
------
El 11/12/2013 05:11 p.m., Jeff Taylor escribió:

I wouldn't do that, because a number of European users are
making use of US servers. Besides, it makes it difficult to
be open to all if you're banning whole countries. :-)

On 12/11/2013 03:46 PM, Hospedaje Web y Servidores Dedicados
wrote:

Thanks for the info Jeff, as my servers are on USA (
most of them ) can i ban the whole country? "DE".

Ing. Alejandro M.
Hospedaje Web y Servidores Dedicados
http://www.dedicados.com.mx
------
correo / msn: ventas AT dedicados.com.mx
<mailto:ventas AT dedicados.com.mx>
skype: dedicados
------

----
To unsubscribe, email
dns-operations-unsubscribe@lists.opennicproject.org
<mailto:dns-operations-unsubscribe@lists.opennicproject.org>

----
To unsubscribe, email
dns-operations-unsubscribe@lists.opennicproject.org
<mailto:dns-operations-unsubscribe@lists.opennicproject.org>

----
To unsubscribe, email dns-operations-unsubscribe@lists.opennicproject.org

----
To unsubscribe, email dns-operations-unsubscribe@lists.opennicproject.org

----
To unsubscribe, email dns-operations-unsubscribe@lists.opennicproject.org

----
To unsubscribe, email dns-operations-unsubscribe@lists.opennicproject.org

Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, (continued)
- Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Bersl, 12/11/2013
- Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Hospedaje Web y Servidores Dedicados, 12/11/2013
  - Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Jeff Taylor, 12/11/2013
    - Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Hospedaje Web y Servidores Dedicados, 12/11/2013
      - Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Guillaume Parent, 12/12/2013
        
        Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Alejandro Bonet, 12/12/2013
        
        Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Hospedaje Web y Servidores Dedicados, 12/12/2013
        
        Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Jeff Taylor, 12/12/2013
        
        Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Hospedaje Web y Servidores Dedicados, 12/12/2013
        Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Jeff Taylor, 12/12/2013
        Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Abraão Caldas, 12/12/2013
        Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Hospedaje Web y Servidores Dedicados, 12/12/2013
- Re: [opennic-dns-operations] ALERT - If you are getting high DNS traffic, please read!, Abraão Caldas, 12/11/2013