nanog mailing list archives
Re: Tracking the DNS amplification attacks (was: isprime DOS in progress)
From: "Crist Clark" <Crist.Clark () globalstar com>
Date: Fri, 30 Jan 2009 15:04:20 -0800
On 1/24/2009 at 4:50 PM, Brian Keefer <chort () smtps net> wrote:Caveat: my PERL is _terrible_. http://www.smtps.net/pub/dns-amp-watch.pl This assumes you're using BIND. My logs roll on the hour, so I run it from cron at 1 minute before the hour. Depending on how long it takes to process your logs, you might need to tweak.
FWIW, I find it easier to track this using tcpdump. I don't like running BIND with query logging. Here's a filter that catches these, port 53 && (udp[10:4] == 0x01000001) && (udp[20:2] == 0x0000) How it works is left as an exercise for the reader. When I sniff the link to a server authorative for several domains, 17:29:55.792127 IP 72.249.127.168.3966 > 206.220.220.100.53: 18501+ NS? . (17) 17:29:57.116367 IP 69.64.87.156.58419 > 206.220.220.100.53: 62419+ NS? . (17) 17:29:57.804987 IP 72.249.127.168.33108 > 206.220.220.100.53: 4637+ NS? . (17) 17:29:58.959680 IP 72.20.3.82.23084 > 206.220.220.100.53: 14310+ NS? . (17) 17:29:59.818994 IP 72.249.127.168.60876 > 206.220.220.100.53: 22791+ NS? . (17) 17:30:01.622728 IP 69.64.87.156.30151 > 206.220.220.100.53: 13557+ NS? . (17) 17:30:01.628899 IP 72.20.3.82.49015 > 206.220.220.100.53: 14250+ NS? . (17) 17:30:01.821214 IP 72.249.127.168.13831 > 206.220.220.100.53: 51065+ NS? . (17) 17:30:03.342856 IP 69.64.87.156.1926 > 206.220.220.100.53: 38768+ NS? . (17) 17:30:03.818706 IP 72.249.127.168.33663 > 206.220.220.100.53: 12720+ NS? . (17) 17:30:05.186647 IP 72.20.3.82.7649 > 206.220.220.100.53: 52079+ NS? . (17) 17:30:05.815718 IP 72.249.127.168.37241 > 206.220.220.100.53: 345+ NS? . (17) 17:30:07.816144 IP 72.249.127.168.23784 > 206.220.220.100.53: 56874+ NS? . (17) 17:30:07.849503 IP 69.64.87.156.33190 > 206.220.220.100.53: 20113+ NS? . (17)
Current thread:
- RE: Are we really this helpless? (Re: isprime DOS in progress), (continued)
- RE: Are we really this helpless? (Re: isprime DOS in progress) Frank Bulk (Jan 23)
- Re: isprime DOS in progress Brian Keefer (Jan 23)
- Re: isprime DOS in progress Brian Keefer (Jan 24)
- Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 24)
- RE: Tracking the DNS amplification attacks (was: isprime DOS in progress) Frank Bulk (Jan 24)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 25)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) James Hess (Jan 25)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 27)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Brian Keefer (Jan 27)
- Re: Tracking the DNS amplification attacks (was: isprime DOS inprogress) Xaver Aerni (Jan 27)
- Re: Tracking the DNS amplification attacks (was: isprime DOS in progress) Crist Clark (Jan 30)
- Re: isprime DOS in progress Andrew Fried (Jan 24)
- Re: isprime DOS in progress Nathan Ollerenshaw (Jan 23)
- Re: isprime DOS in progress Mark Andrews (Jan 23)
- Re: isprime DOS in progress David Andersen (Jan 25)
- Re: isprime DOS in progress Andrew Fried (Jan 25)