Re: ongoing DDoS...

[Jason Frisvold <xenophage0 () gmail com>]

On 1/26/06, Barry Shein <bzs () world std com> wrote:
> What I presume is a zombie army sending out gazillions of emails to
> thousands of hosts out there (not ours) with a randomly generated
> (usually) return/source address @ our domain(s). The target addresses
> are usually also unknown so it just bounces back at us.

Some sort of a user check should mitigate most of this..  ie, drop at
the smtp level, don't bounce.

> Besides the obvious SMTP traffic this also generates a lot of DNS
> traffic. At this point the DNS traffic seems to be more of a nuisance
> probably because so many target hosts are retrying. At one point we
> were doing around 10K pkts/second in DNS traffic, very unusual.

10K/s is a lot..  I would expect a lot less..  Presumably the source
of the DNS requests would be another DNS server who should be caching
the result.

Try increasing the TTL for the "offending" records...  I see it's at
24 hours at the moment though.

Can you do some sniffing to determine the source of the lookups? 
Perhaps a broken dns server or two out there?

> P.S. If you think "get a firewall": The problem traffic is coming from
> legitimate hosts in the form of DNS+SMTP, not the bots (not to us
> anyhow.) So not so simple, what's the filter?

Throttle on the gateway?  Specifically, throttle DNS traffic to start
if that's doing the most damage, and then throttle smtp if necessary..
Depend on the remote retry to handle any timeouts..

> --
>         -Barry Shein


--
Jason 'XenoPhage' Frisvold
XenoPhage0 () gmail com