![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
RE: Tracking the DNS amplification attacks (was: isprime DOS in progress)
From: Roger Marquis <marquis () roble com>
Date: Sat, 24 Jan 2009 21:33:21 -0800 (PST)
Frank Bulk wrote:
I would not recommend sucking in your dns log into array, rather, read line by line and iterate over the file, line by line.
Agreed. Python and Pytailer <http://code.google.com/p/pytailer/> are particularly good tools for this application, running as a daemon and implementing IP filters as needed. This is all, however, treating symptoms. The root cause would be far better fixed with a named patch implementing Chris Paul's recommendation to NANOG back in August: >Chris Paul wrote >> Sorry if this is real stupid for some reason because I don't think about >> DNS all day (I'm the ldap dude) but since we have faster networks and >> faster cpus today, what would be the harm in switching to use TCP for >> DNS clients? The latency on the web isn't dns anymore ever it seems to >> me..... > > That's the best idea I've read so far. You wouldn't want to toggle > protocols on the first mismatch, but maybe the 10th or 50th. Would also be > worthwhile to factor in some rate limiting and an algorithm for timing the > toggle-back. Stir in some simple statefulness via btree and voila. Roger Marquis
Current thread:
- RE: Tracking the DNS amplification attacks (was: isprime DOS in progress) Roger Marquis (Jan 24)