Re: DoS attack... what to do?

[falcon () secureconsulting net]

Maybe a stupid question, but why do you need DNS on that server at all? 
Why not offload it to your registrar or your provider?

Beyond that, you don't really provide adequate tech details here to fully
understand what your situation is.  What's the server doing?  What ports
are open and why?  Etc.

DoS mitigation has traditionally focused on blackholing as far upstream as
possible.  In this case, if it's a true DDoS with minimal commonality in
the addresses, then you'll need to either find a way to rate-limit
upstream or ride it out.  Or, change your IP and hope it's not a
name-based DDoS.

Make sure you're not doing this to yourself with some sort of
misconfiguration.  Doesn't sound like it, but one can never be too sure.
;)

> Hi Guys,
>
> Here is the situation...
>
> I have a dedicated server at ISP X, about 1 week after I signed up for
> the service I received a DoS attack against my DNS service... the attack
> came from over 10,000 IP addresses and tried to resolve the following
> domain names...
>
> leet.nexhost.org
> ns1.nexhost.org
> ns2.nexhost.org
> floop.m33pm33p.info
> irc.k1hosting.net
> b0tn3t.elite-coders.org
>
>
> I thought i would be clever and changed root.cache on my named service
> to resolve all dns queries to 127.0.0.1, this seems to of worked for
> about 1hr. Next I get even more attacks on port 5556 which I don't even
> use and basically by default drop everything to that port.
>
> I have sent off abuse reports for over 10,000 IP's, grouping them by ISP
> and sending 1 email per ISP.....
>
> What to do? I've got a constant 200Kbps of traffic, and its kinda
> bugging me...
>
> Any help would greatly be appreciated.  (btw, netsky.V uses port 5556)
>
>
> Regards
> Nigel Kukard