nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS dDos Attack!

From: Jared Mauch <jared () puck Nether net>
Date: Fri, 28 Mar 2003 09:49:46 -0500

        Dan,

        Might I suggest a few things.

        1) If you truly want the nanog community to help, perhaps
you wish to post the Ip being attacked as well as a series of
sources, including the names of your upstreams involved as
their security teams haven't helped you and that's the reason
for the post.
        2) You probally want to install an icmp rate-limit to
help mitigate this attack.  By saying CEF, I assume you
are using a Cisco router.  Here's a quick example:

interface <foo>
 rate-limit input access-group 2000 1536000 200000 200000 conform-action transm
it exceed-action drop

access-list 2000 permit icmp any any

        That should drop the icmp down to around a T1s worth.

        - Jared

On Fri, Mar 28, 2003 at 09:28:48AM -0500, Dan Armstrong wrote:


Sorry, I lied.  We are running 8.34Release

What I cannot figure out is why *our* name server is sending out ICMP
unreachables.  The incoming dns queries are coming from random
destinations....

I have blocked icmp 3 incoming from that DMZ as not to overwhelm the CEF in
any other routers, but whoever is doing this has this name server at it's
knees.

Dan.


Eric Whitehill wrote:


Dan:

Can you updated your version of BIND and install some acls?

-Eric

On Fri, 28 Mar 2003, Dan Armstrong wrote:


Date: Fri, 28 Mar 2003 09:20:20 -0500
From: Dan Armstrong <dan () beanfield com>
To: nanog () merit edu
Subject: DNS dDos Attack!


I am sorry if this has come up before, but it seems that one of our name

servers is under some sort of dDos attack.  It seems to be receiving
millions of queries form spoofed IPs, and it is spending all of it's
time sending back icmp unreachables.

It is running bind 4.31 under BSD 4.62STABLE

Help!

Thanks,
Dan.




-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
Previous By Date Next
Previous By Thread Next

Current thread: