nanog mailing list archives
Re: ongoing DDoS...
From: Jason Frisvold <xenophage0 () gmail com>
Date: Thu, 26 Jan 2006 23:02:31 -0500
On 1/26/06, Barry Shein <bzs () world std com> wrote:
What I presume is a zombie army sending out gazillions of emails to thousands of hosts out there (not ours) with a randomly generated (usually) return/source address @ our domain(s). The target addresses are usually also unknown so it just bounces back at us.
Some sort of a user check should mitigate most of this.. ie, drop at the smtp level, don't bounce.
Besides the obvious SMTP traffic this also generates a lot of DNS traffic. At this point the DNS traffic seems to be more of a nuisance probably because so many target hosts are retrying. At one point we were doing around 10K pkts/second in DNS traffic, very unusual.
10K/s is a lot.. I would expect a lot less.. Presumably the source of the DNS requests would be another DNS server who should be caching the result. Try increasing the TTL for the "offending" records... I see it's at 24 hours at the moment though. Can you do some sniffing to determine the source of the lookups? Perhaps a broken dns server or two out there?
P.S. If you think "get a firewall": The problem traffic is coming from legitimate hosts in the form of DNS+SMTP, not the bots (not to us anyhow.) So not so simple, what's the filter?
Throttle on the gateway? Specifically, throttle DNS traffic to start if that's doing the most damage, and then throttle smtp if necessary.. Depend on the remote retry to handle any timeouts..
-- -Barry Shein
-- Jason 'XenoPhage' Frisvold XenoPhage0 () gmail com
Current thread:
- ongoing DDoS... Barry Shein (Jan 26)
- Re: ongoing DDoS... Jason Frisvold (Jan 26)
- Re: ongoing DDoS... Suresh Ramasubramanian (Jan 26)