North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS dDos Attack!

  • From: Jared Mauch
  • Date: Fri Mar 28 09:53:04 2003

	Dan,

	Might I suggest a few things.

	1) If you truly want the nanog community to help, perhaps
you wish to post the Ip being attacked as well as a series of
sources, including the names of your upstreams involved as
their security teams haven't helped you and that's the reason
for the post.
	2) You probally want to install an icmp rate-limit to
help mitigate this attack.  By saying CEF, I assume you
are using a Cisco router.  Here's a quick example:

interface <foo>
 rate-limit input access-group 2000 1536000 200000 200000 conform-action transm
it exceed-action drop

access-list 2000 permit icmp any any

	That should drop the icmp down to around a T1s worth.

	- Jared

On Fri, Mar 28, 2003 at 09:28:48AM -0500, Dan Armstrong wrote:
> 
> Sorry, I lied.  We are running 8.34Release
> 
> What I cannot figure out is why *our* name server is sending out ICMP
> unreachables.  The incoming dns queries are coming from random
> destinations....
> 
> I have blocked icmp 3 incoming from that DMZ as not to overwhelm the CEF in
> any other routers, but whoever is doing this has this name server at it's
> knees.
> 
> Dan.
> 
> 
> Eric Whitehill wrote:
> 
> > Dan:
> >
> > Can you updated your version of BIND and install some acls?
> >
> > -Eric
> >
> > On Fri, 28 Mar 2003, Dan Armstrong wrote:
> >
> > > Date: Fri, 28 Mar 2003 09:20:20 -0500
> > > From: Dan Armstrong <[email protected]>
> > > To: [email protected]
> > > Subject: DNS dDos Attack!
> > >
> > >
> > > I am sorry if this has come up before, but it seems that one of our name
> > >
> > > servers is under some sort of dDos attack.  It seems to be receiving
> > > millions of queries form spoofed IPs, and it is spending all of it's
> > > time sending back icmp unreachables.
> > >
> > > It is running bind 4.31 under BSD 4.62STABLE
> > >
> > > Help!
> > >
> > > Thanks,
> > > Dan.
> > >
> > >

-- 
Jared Mauch  | pgp key available via finger from [email protected]
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.