|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: anycast and ddos
At 01:38 AM 07-05-05 +0000, Christopher L. Morrow wrote: I scanned my Telescope report of 3,382 spoofed DDOS attacks last week (May 1-7) and could not find any listed for 216.168.229.0/24, worldnic.com, netsol.com or AS6245. -Hank worldnic.com. 86400 IN NS ns1.netsol.com. worldnic.com. 86400 IN NS ns2.netsol.com. worldnic.com. 86400 IN NS ns3.netsol.com. ;; ADDITIONAL SECTION: ns1.netsol.com. 86400 IN A 216.168.229.228 ns2.netsol.com. 86400 IN A 216.168.229.229 ns3.netsol.com. 86400 IN A 216.168.229.229 why have 3 records and 2 ips? odd. You'd think they would have more ips in that /21 or other /24's to allocate from, just in case they had to jettison 1 address which was getting pounded :( (not that these were getting attacked per-say, but still) > [0] - as it seems that the ddos sources were ip address > spoofed (which is why the service still worked for > tcp), i owe paul an apology for downplaying the > immediacy of the need for source address filtering. > It's also not clear that the sources were spoofed, if as Patrick says they put in a riverhead(s) (which isn't too far fetched) the normal mode for 'protection' of DNS is to: 1) truncate 2) rate-limit - and cache (I think it caches atleast, I know it will go into proxy mode and rate-limit) truncate forces TCP which allows RHG to verify the source address is really asking to chat, rate-limit function keeps 'bad actors' from beatting the hell out of the protected resource. So, without more info from NetSol (seems not to be forthcoming?) about the mix of attack traffic (which the RHG will provide) it's hard to state definitively that the attack was 'mostly spoofed' :(
|