RE: Tracking the DNS amplification attacks (was: isprime DOS in progress)

[Roger Marquis <marquis () roble com>]

Frank Bulk wrote:
> I would not recommend sucking in your dns log into array, rather, read line
> by line and iterate over the file, line by line.

Agreed. Python and Pytailer <http://code.google.com/p/pytailer/> are
particularly good tools for this application, running as a daemon and
implementing IP filters as needed.

This is all, however, treating symptoms.  The root cause would be far
better fixed with a named patch implementing Chris Paul's recommendation to
NANOG back in August:

 >Chris Paul wrote
 >> Sorry if this is real stupid for some reason because I don't think about
 >> DNS all day (I'm the ldap dude) but since we have faster networks and
 >> faster cpus today, what would be the harm in switching to use TCP for
 >> DNS clients? The latency on the web isn't dns anymore ever it seems to
 >> me.....
 >
 > That's the best idea I've read so far. You wouldn't want to toggle
 > protocols on the first mismatch, but maybe the 10th or 50th. Would also be
 > worthwhile to factor in some rate limiting and an algorithm for timing the
 > toggle-back. Stir in some simple statefulness via btree and voila.

Roger Marquis