You guys might want to be aware that isprime.com (I am not affiliated or
representing them, just passing on info since friends and I noticed this)
is actively under a DOS where lots of people's dns servers around the world
are being queried with bogus sourced dns requests not from port 53 for
'NS? .'. This then bounces back to their authoritative nameservers which
are getting traffic overload. They've asked that those of us that can
should block all but port 53 from the following two IP's (their dns
servers as seen on whois) so as not to block legitimate dns info:
66.230.128.15
66.230.160.1
Here is the response from their abuse department:
To: t...@fries.net
Subject: Re: dos info?
From: ISPrime Support <supp...@isprime.com>
Date: Tue, 20 Jan 2009 15:16:02 -0500 (EST)
Hello,
These are the result of a spoofed dns recursion attack against our servers.
The actual packets in question (the ones reaching your servers) do NOT
originate from our network as such there is no way for us to filter things from
our end.
If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these
machines make legitimate outbound dns requests so an inbound filter of packets
to udp/53 from either of these two sources is perfect.
If you are receiving queries from 66.230.128.15/66.230.160.1 these servers are
authoritative nameservers. Please do not blackhole either of these IPs as they
host many domains. However, these IPs do not make outbound DNS requests so
filtering requests to your IPs from these ips with a destination port of 53
should block any illegitimate requests.
An ACL similar to:
access-list 110 deny udp host 66.230.160.1 neq 53 any eq 53
access-list 110 deny udp host 66.230.128.15 neq 53 any eq 53
Is what you want.
I would also suggest taking a look at the excellent CYMRU secure bind template
(assuming you are running bind), to help you configure your nameservers so that
you do not participate in this attack:
http://www.cymru.com/Documents/secure-bind-template.html.
Thanks for your help in mitigating this attack against us.
Please let me know if I can be of further assistance.
ISPrime Support
supp...@isprime.com
ICQ: 136633378
On 2009-01-20, at 15:14:33, "Todd T. Fries" <t...@fries.net> wrote:
> I was told to write here for your writeup on what to block and such
> to help you guys out given the DOS that is ongoing.
Thanks,
--
Todd Fries .. t...@fries.net
_____________________________________________
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| "..in support of free software solutions." \ 250797 (FWD)
| \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
Penned by Mike Lyon on 20090109 16:41.04, we have:
| If so, would you mind hitting me up offlist? I have a few questions that i
| am unable to get answered through normal channels.
|
| Cheers,
| Mike
