On 24/01/2009, at 6:46 AM, Steven Lisson wrote:
Hi,
I agree with seeing no traffic to/from 66.230.128.15 but am still
seeing flows 'from' 66.230.160.1
Regards,
Steve
Hi Steve,
There is at least an iptables rule you can use to drop this specific
query, assuming your nameservers run linux.
http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
The bind-users mailing list suggested having the ISPs trace back the
flows and find the networks emitting the spoofed packets, and have
those networks implement BCP 38. While that's the 'right' solution
(everyone should be doing ingress filtering, sure, impossible to argue
against it), not every network out there is operated by people who
give a damn.
This will work at least until the kiddies improve their scripts to
query for names that actually exist.
On 24/01/2009, at 8:21 AM, Chris McDonald wrote:
We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do
the same :/
Good luck with that. Right now they're targetting ISPrime, and you've
just made the DoS even more effective for them. With any luck, the
rest of the world will follow suit and the bad guys win! yay! :)
Short of getting the rest of the world to properly implement ingress
filtering (ha, ha), I think dropping the specific packets that
generate the reflected traffic is good enough for now. The load on the
reflectors is minimal.
Nathan.
