nanog mailing list archives
Re: Tracking the DNS amplification attacks (was: isprime DOS in progress)
From: James Hess <mysidia () gmail com>
Date: Sun, 25 Jan 2009 03:23:05 -0600
On Sat, Jan 24, 2009 at 9:00 PM, Frank Bulk <frnkblk () iname com> wrote:
I would not recommend sucking in your dns log into array, rather, read line by line and iterate over the file, line by line. Frank
True.. reading into an array can get a bit nasty, if your server logs are a few gigabytes in size. Could use C, also... http://pastebin.com/f4c2ff010 Scanning your logs after the fact is definitely not as good as separating DNS servers that are authoritative for zones and picking nameserver software such as TinyDNS or similar options for authoritative DNS usage that won't respond to queries for the root or other zones the DNS server is not directed to be used for, and using acls/firewalls to prevent outside queries against other DNS servers that aren't delegated zones. It's a bit difficult to apply a BIND patch that doesn't exist yet in vendor-supplied implementations of BIND, at least.. -- -J
Current thread:
- Re: Are we really this helpless? (Re: isprime DOS in progress), (continued)
- Re: Are we really this helpless? (Re: isprime DOS in progress) Eugeniu Patrascu (Jan 25)
- Re: Are we really this helpless? (Re: isprime DOS in progress) Brandon Galbraith (Jan 23)
- Re: Are we really this helpless? (Re: isprime DOS in progress) J.D. Falk (Jan 24)
- Re: Are we really this helpless? (Re: isprime DOS in progress) Seth Mattinen (Jan 24)
- RE: Are we really this helpless? (Re: isprime DOS in progress) Frank Bulk (Jan 23)
- Re: isprime DOS in progress Brian Keefer (Jan 23)
- Re: isprime DOS in progress Brian Keefer (Jan 24)
- Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 24)
- RE: Tracking the DNS amplification attacks (was: isprime DOS in progress) Frank Bulk (Jan 24)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 25)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) James Hess (Jan 25)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 27)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 27)
- Re: Tracking the DNS amplification attacks (was: isprime DOS inprogress) Xaver Aerni (Jan 27)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Crist Clark (Jan 30)
- Re: isprime DOS in progress Andrew Fried (Jan 24)
- Re: isprime DOS in progress Nathan Ollerenshaw (Jan 23)
- Re: isprime DOS in progress Mark Andrews (Jan 23)
- Re: isprime DOS in progress David Andersen (Jan 25)
- Re: isprime DOS in progress Andrew Fried (Jan 25)