On Jun 10, 2012, at 10:45, Jim Reid wrote:
> On 10 Jun 2012, at 09:19, DTNX Postmaster wrote:
>
>> What type of queries?
>
> ANY queries for ihren.org with no UDP checksum:
>
> shaun# tcpdump -vv -n port 53
> 09:32:30.139803 IP (tos 0x0, ttl 251, id 24876, offset 0, flags [none], proto
> UDP (17), length 66) 37.221.160.125.28832 > 93.186.33.42.53: [no cksum]
> 18554+ [1au] ANY? ihren.org. ar: . OPT UDPsize=9000 (38)
> 09:32:30.139806 IP (tos 0x0, ttl 251, id 24877, offset 0, flags [none], proto
> UDP (17), length 66) 37.221.160.125.28832 > 93.186.33.42.53: [no cksum]
> 18554+ [1au] ANY? ihren.org. ar: . OPT UDPsize=9000 (38)
> 09:32:30.139929 IP (tos 0x0, ttl 251, id 24878, offset 0, flags [none], proto
> UDP (17), length 66) 37.221.160.125.28832 > 93.186.33.42.53: [no cksum]
> 18554+ [1au] ANY? ihren.org. ar: . OPT UDPsize=9000 (38)
This is what our tcpdump looks like;
11:20:46.115011 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto UDP
(17), length 63)
184.105.175.202.30632 > amonhen.nickserf.nl.domain: [udp sum ok] 43127+
ANY? xxxxxxxxxxxxx.tld. (35)
11:20:47.093295 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto UDP
(17), length 63)
184.105.175.202.50833 > amonhen.nickserf.nl.domain: [udp sum ok] 37318+
ANY? xxxxxxxxxxxxx.tld. (35)
11:20:48.290580 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto UDP
(17), length 63)
184.105.175.202.30559 > amonhen.nickserf.nl.domain: [udp sum ok] 24439+
ANY? xxxxxxxxxxxxx.tld. (35)
11:20:48.582575 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto UDP
(17), length 63)
184.105.175.202.53576 > amonhen.nickserf.nl.domain: [udp sum ok] 18641+
ANY? xxxxxxxxxxxxx.tld. (35)
11:20:48.993361 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto UDP
(17), length 63)
184.105.175.202.58969 > amonhen.nickserf.nl.domain: [udp sum ok] 23014+
ANY? xxxxxxxxxxxxx.tld. (35)
(target domain obscured)
>> The iptables rules mentioned in the first comment work well for us
>
> Well for starters, I [dw]on't use Linux. The server runs FreeBSD. Besides,
> the damage is done by the time these packets hit the server's ethernet card.
> At ~4000qps inbound, this is close to saturating the server's VLAN in the
> data centre. The traffic needs to be blocked before it reaches that. I've
> hopefully got the offending addresses blackholed by the name server now:
> don't know though if those addresses were spoofed or not.
I wasn't assuming you are using the same platform, just sharing our
experiences of the past week :-) Perhaps it's possible to implement a
similar rule in IPFW/PF/IPF?
That way you at least won't be responding to the queries, and dropping
the packets should lighten the load?
Cya,
Jona
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
