Re: isprime DOS in progress

[Graeme Fowler <graeme () graemef net>]

On Wed, 2009-01-21 at 12:27 -0500, Phil Rosenthal wrote:
> Representing ISPrime here.

Well... representing myself and nobody else, so if that stretches my
credibility thin so be it.

> It's somewhat absurd to suggest that we are attacking our own  
> nameservers, I assure you, we didn't spend many hours looking for your  
> specific nameserver to start sending 10 requests per second for the  
> root zone, and our nameservers serve many popular domains.

I just checked to make sure I did not make that assertion. I did not.

I observed something odd, and stated as much to see if anyone else did.
I apologise if you read my message as insinuating what you stated, but I
assure you that wasn't the intention.

I did say "maybe I'm being dumb", and that is indeed the answer - I
applied a temporary netfilter ruleset, then made it permanent - and it
switched the DROP and LOG statements round so that... the packet got
dropped first and the log statements never got hit. Schoolboy error (and
interesting that someone else has observed this behaviour before!)...

Normal service has been resumed. I should write a haiku here (sorry,
MLC, poor joke).

> Given the attack is still in progress, I can't really say much more  
> publicly, but suffice to say, we're working on the situation.

In a previous job I've been on the receiving end of similar attacks so I
have a large degree of understanding of the pressure you're under at the
moment. I wish you the best of luck sorting it out.

Graeme