On 10 Jun 2012, at 09:19, DTNX Postmaster wrote:
What type of queries?
ANY queries for ihren.org with no UDP checksum:
shaun# tcpdump -vv -n port 53
09:32:30.139803 IP (tos 0x0, ttl 251, id 24876, offset 0, flags
[none], proto UDP (17), length 66) 37.221.160.125.28832 >
93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT
UDPsize=9000 (38)
09:32:30.139806 IP (tos 0x0, ttl 251, id 24877, offset 0, flags
[none], proto UDP (17), length 66) 37.221.160.125.28832 >
93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT
UDPsize=9000 (38)
09:32:30.139929 IP (tos 0x0, ttl 251, id 24878, offset 0, flags
[none], proto UDP (17), length 66) 37.221.160.125.28832 >
93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT
UDPsize=9000 (38)
The iptables rules mentioned in the first comment work well for us
Well for starters, I [dw]on't use Linux. The server runs FreeBSD.
Besides, the damage is done by the time these packets hit the server's
ethernet card. At ~4000qps inbound, this is close to saturating the
server's VLAN in the data centre. The traffic needs to be blocked
before it reaches that. I've hopefully got the offending addresses
blackholed by the name server now: don't know though if those
addresses were spoofed or not.
I posted here to see if anyone else is experiencing this behaviour or
can identify the root cause. DDoS attacks against "important" name
servers are fairly common. Could the bad guys now be picking easier
targets that may be more likely to fall over? And why pick on my name
server which has never done anyone any harm?
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
