nanog mailing list archives
Re: isprime DOS in progress
From: Phil Rosenthal <pr () isprime com>
Date: Wed, 21 Jan 2009 12:27:48 -0500
Hello, Representing ISPrime here.This attack has been ongoing on 66.230.128.15/66.230.160.1 for about 24 hours now, and we are receiving roughly 5Gbit of attack packets from roughly 750,000 hosts.
It's somewhat absurd to suggest that we are attacking our own nameservers, I assure you, we didn't spend many hours looking for your specific nameserver to start sending 10 requests per second for the root zone, and our nameservers serve many popular domains.
Given the attack is still in progress, I can't really say much more publicly, but suffice to say, we're working on the situation.
-Phil AS23393 On Jan 21, 2009, at 12:08 PM, Graeme Fowler wrote:
On Tue, 2009-01-20 at 14:55 -0600, Todd T. Fries forwarded:From: ISPrime Support <support () isprime com>These are the result of a spoofed dns recursion attack against our servers. The actual packets in question (the ones reaching your servers) do NOT originate from our network as such there is no way for us to filter things from our end. If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these machines make legitimate outbound dns requests so an inbound filter of packets to udp/53 from either of these two sources is perfect. If you are receiving queries from 66.230.128.15/66.230.160.1 these servers are authoritative nameservers. Please do not blackhole either of these IPs as they host many domains. However, these IPs do not make outbound DNS requests so filtering requests to your IPs from these ips with a destination port of 53 should block any illegitimate requests.I've been seeing a lot of noise from the latter two addresses afterswitching on query logging (and finishing an application of Team Cymru'sexcellent template) so I decided to DROP traffic from the addresses (with source port != 53) at the hosts in question. Well, blow me down if they didn't completely stop talking to me. Four dropped packets each, and they've gone away.Something smells "not quite right" here - if the traffic is spoofed, andmy "Refused" responses have been flying right back to the *real* IP addresses, how are the spoofing hosts to know that I'm dropping the traffic?Even if I used a REJECT policy, I'd expect the ICMP messages to go backto the appropriate - as in real - hosts, rather than the spoofing sources. Something here is very odd, very odd indeed... or I'm being dumb. It's happened before. Graeme
Current thread:
- Any ATT DNS admins out there? Mike Lyon (Jan 09)
- isprime DOS in progress Todd T. Fries (Jan 20)
- Re: isprime DOS in progress Graeme Fowler (Jan 21)
- Re: isprime DOS in progress Phil Rosenthal (Jan 21)
- Re: isprime DOS in progress Aaron Hopkins (Jan 21)
- Re: isprime DOS in progress Graeme Fowler (Jan 21)
- RE: isprime DOS in progress Justin Krejci (Jan 21)
- Re: isprime DOS in progress, and Re: DNS Amplification attack? Dale Carstensen (Jan 21)
- Re: isprime DOS in progress Graeme Fowler (Jan 21)
- Re: isprime DOS in progress Harald Koch (Jan 21)
- Re: isprime DOS in progress Bjørn Mork (Jan 22)
- Re: isprime DOS in progress Phil Rosenthal (Jan 23)
- RE: isprime DOS in progress Steven Lisson (Jan 23)
- Re: isprime DOS in progress Joe Abley (Jan 23)
- RE: isprime DOS in progress Luke Sheldrick (Jan 23)
- isprime DOS in progress Todd T. Fries (Jan 20)