I've
seen this behavior before, also. I thought it was interesting that two
servers side by side recieving the same attacks/ratios only serving DNS
(BIND 8.2.x*) and acted in this manner:
Redhat 6.2 w/dual proc 833
512/ram started "loosing" RR records
Solaris 7 on a Sparc 10 (hehe)
w/256 rebooted and served the correct
records
I'm
curious to see how other OSes react to these attacks. My guess is that BSD
systems (such as FreeBSD and BSDi) will react similarly to the Solaris based on
my past experience with these systems. So I am curious too see if the RR
record "loss" is an OS specific behaviour, especially since Redhat has priors in
misplacing information in earlier versions of the OS.
* I
say BIND 8.2.x, because this continued to occur through the various BIND 8.2
releases.
Best regards,
Karyn Ulriksen
Valkaryn Internet
Group
URL: http://www.valkaryn.net
email:
[email protected]
===========================================
"Decisions
should be made in the space of seven breaths."
I've
seen this behavior before, also. I thought it was interesting that two
servers side by side recieving the same attacks/ratios only serving DNS
(BIND 8.2.x*) and acted in
this manner:
Redhat 6.2 w/dual proc 833
512/ram started "loosing" RR records
Solaris 7 on a Sparc 10
(hehe) w/256 rebooted and served the correct
records
I'm
curious to see how other OSes react to these attacks. My guess is that
BSD systems (such as FreeBSD and BSDi) will react similarly to the Solaris
based on my past experience with these systems. So I am curious too see
if the RR record "loss" is an OS specific behaviour, especially since Redhat
has priors in misplacing information in earlier versions of the
OS.
* I
say BIND 8.2.x, because this continued to occur through the various BIND 8.2
releases.
Best regards,
Karyn Ulriksen
Valkaryn Internet
Group
URL: http://www.valkaryn.net
email:
[email protected]
===========================================
"Decisions
should be made in the space of seven breaths."
I've seen DOS-type behavior where a client will query
a resolver for a
name that doesn't exist, and
the client does not accept the answer that
the
name does not exist and immediately sends another query, regardless
of whether or not the resolver declared itself
authoritative for the
negative answer.
--
/ak
Get ready for more DOS-like behavior as systems get
deployed that have 10 second TTLs in the DNS. These systems are used to
provide multi-isp redundancy by pinging each upstreams router, and when a
ping fails, start giving out a dns response using the other ISP IP range.
Same FQDN, new IP.
This of course is driven by the desire for redundancy
in small businesses who make the Internet an integral part of their business
plan. Either they can't get PI space and don't have (or don't want to spend)
the $$$ to do BGP, or are unable to convince their upstream to cut a hole in
their CIDR block and allow a 2nd party to announce that chunk (which for
some is as small as /28).
James H. Smith II NNCDS NNCSE
Systems Engineer
The Presidio
Corporation