North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS dDos Attack!
Dan, Might I suggest a few things. 1) If you truly want the nanog community to help, perhaps you wish to post the Ip being attacked as well as a series of sources, including the names of your upstreams involved as their security teams haven't helped you and that's the reason for the post. 2) You probally want to install an icmp rate-limit to help mitigate this attack. By saying CEF, I assume you are using a Cisco router. Here's a quick example: interface <foo> rate-limit input access-group 2000 1536000 200000 200000 conform-action transm it exceed-action drop access-list 2000 permit icmp any any That should drop the icmp down to around a T1s worth. - Jared On Fri, Mar 28, 2003 at 09:28:48AM -0500, Dan Armstrong wrote: > > Sorry, I lied. We are running 8.34Release > > What I cannot figure out is why *our* name server is sending out ICMP > unreachables. The incoming dns queries are coming from random > destinations.... > > I have blocked icmp 3 incoming from that DMZ as not to overwhelm the CEF in > any other routers, but whoever is doing this has this name server at it's > knees. > > Dan. > > > Eric Whitehill wrote: > > > Dan: > > > > Can you updated your version of BIND and install some acls? > > > > -Eric > > > > On Fri, 28 Mar 2003, Dan Armstrong wrote: > > > > > Date: Fri, 28 Mar 2003 09:20:20 -0500 > > > From: Dan Armstrong <email@example.com> > > > To: firstname.lastname@example.org > > > Subject: DNS dDos Attack! > > > > > > > > > I am sorry if this has come up before, but it seems that one of our name > > > > > > servers is under some sort of dDos attack. It seems to be receiving > > > millions of queries form spoofed IPs, and it is spending all of it's > > > time sending back icmp unreachables. > > > > > > It is running bind 4.31 under BSD 4.62STABLE > > > > > > Help! > > > > > > Thanks, > > > Dan. > > > > > > -- Jared Mauch | pgp key available via finger from email@example.com clue++; | http://puck.nether.net/~jared/ My statements are only mine.