RE: isprime DOS in progress

["Justin Krejci" <jkrejci () usinternet com>]

-----Original Message-----
From: Graeme Fowler [mailto:graeme () graemef net] 
Sent: Wednesday, January 21, 2009 11:08 AM
To: Nanog Mailing list
Subject: Re: isprime DOS in progress


> I've been seeing a lot of noise from the latter two addresses after
> switching on query logging (and finishing an application of Team Cymru's
> excellent template) so I decided to DROP traffic from the addresses
> (with source port != 53) at the hosts in question.

> Well, blow me down if they didn't completely stop talking to me. Four
> dropped packets each, and they've gone away.

> Something smells "not quite right" here - if the traffic is spoofed, and
> my "Refused" responses have been flying right back to the *real* IP
> addresses, how are the spoofing hosts to know that I'm dropping the
> traffic?
>
> Even if I used a REJECT policy, I'd expect the ICMP messages to go back
> to the appropriate - as in real - hosts, rather than the spoofing
> sources.
>
> Something here is very odd, very odd indeed... or I'm being dumb. It's
> happened before.
>
> Graeme

In looking at my query logs I am seeing only requests from 66.230.160.1 and
66.230.128.15 so I've done the same thing with iptables and the rules are
resulting in an ever growing number of packets being dropped.


# iptables -nvL | grep -F -B 1 -A 1 66.230.160.1 | awk '{ print
$1,$2,$3,$8,$10,$11,$12 }'

pkts  bytes target source
49517 2228K DROP   66.230.160.1 udp spt:!53 dpt:53
35905 1616K DROP   66.230.128.15 udp spt:!53 dpt:53