North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: ongoing DDoS...
On 1/27/06, Barry Shein <email@example.com> wrote: > Besides the obvious SMTP traffic this also generates a lot of DNS > traffic. At this point the DNS traffic seems to be more of a nuisance > probably because so many target hosts are retrying. At one point we > were doing around 10K pkts/second in DNS traffic, very unusual. > > This has been going on for about a week. At least some broken resolvers will keep re-querying you so see if you cant throttle or rate limit dns queries from problem IPs for a while. That, and increase TTLs a bit. As for the smtp - * Dont accept email for catchall aliases - try to reject all you can at the gateway * Bounces and backscatter - RFC violation or not, accepting bounces takes a backseat to keeping your mail system up and running. TEMPORARILY turn off accepting mail from:<>, especially if you're seeing far, far more bounce traffic to nonexistent addresses on your site than valid bounces. Long term - see if you can't use http://www.mipassoc.org/batv/ especially if all your users send email through your smtp server from outside (say using AUTH) or ssh in and use pine / elm or whatever on your shell servers. > > So where does one start. It seems a mother ship needs to be shut down > somewhere, etc. Obviously ID'ing a miscreant would be a nice result. > You sure its just one botnet hitting you? Shutting off a mothership often means that the zombies become even more zombied and keep pounding on your server long after the mothership is dead. --srs -- Suresh Ramasubramanian (firstname.lastname@example.org)