North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

ongoing DDoS...

  • From: Barry Shein
  • Date: Thu Jan 26 16:52:27 2006

[Feel free to respond with: take it to list XYZZY]

There's been an ongoing DDoS here at (The World) tho
it's not quite DoS'ing (you got this, right?) it's getting very tiring
and obviously is affecting many systems "out there".

The MO: (easy to understand but pretty nasty):

What I presume is a zombie army sending out gazillions of emails to
thousands of hosts out there (not ours) with a randomly generated
(usually) return/source address @ our domain(s). The target addresses
are usually also unknown so it just bounces back at us.

Besides the obvious SMTP traffic this also generates a lot of DNS
traffic. At this point the DNS traffic seems to be more of a nuisance
probably because so many target hosts are retrying. At one point we
were doing around 10K pkts/second in DNS traffic, very unusual.

This has been going on for about a week.

I'd hoped some little mitigation tricks here and there and a few days'
patience and the excess mouths would get tired of this and go back to
stuffing neighbors' pets down their garbage disposals for yucks, etc.

So where does one start. It seems a mother ship needs to be shut down
somewhere, etc. Obviously ID'ing a miscreant would be a nice result.

P.S. If you think "get a firewall": The problem traffic is coming from
legitimate hosts in the form of DNS+SMTP, not the bots (not to us
anyhow.) So not so simple, what's the filter?

        -Barry Shein

The World              | [email protected]           |
Purveyors to the Trade | Voice: 800-THE-WRLD        | Login: Nationwide
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*