nanog mailing list archives
DNS Blocking
From: "Dan Mahoney, System Admin" <danm () prime gushi org>
Date: Thu, 19 Aug 2004 14:25:19 -0400 (EDT)
Hey guys,I was recently hammered by someone making a ton of requests for a non-existent subdomain of a domain that I host. The requests were coming in from forged ips, and presumably being used to flood other people.
Because DNS is udp based, and the sender of the queries honestly didn't care about getting a response back, traditional firewalls were useless. I imagine a sniffing firewall that can look at the packet payloads would have been more useful, but I was wondering if anyone knew a way to better mitigate this type of attack.
I posted on comp.protocols.dns.bind, didn't get back anything of use. I posted on webhostingtalk, and got a pointer at the "securing bind" paper (which neither addresses the situation, nor includes anything to prevent it).
What I was basically asking for was a "silently drop queries for X-domain" option. But one doesn't exist in bind.
I know it's a little off-topic, but I'd appreciate any pointers. -Dan Mahoney -- "...Somebody fed you sugar. Shit!" --Tracy, after noticing Gatorade on my desk. Ezzi Computers, October 18th 2003 Approx 11PM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Current thread:
- DNS Blocking Dan Mahoney, System Admin (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)
- Re: DNS Blocking Dan Mahoney, System Admin (Aug 19)
- Re: DNS Blocking Duane Wessels (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)
- Re: DNS Blocking Mike Lewinski (Aug 19)
- Re: DNS Blocking Suresh Ramasubramanian (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)
- Re: DNS Blocking Dan Mahoney, System Admin (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)