North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ongoing DDoS...

  • From: Suresh Ramasubramanian
  • Date: Fri Jan 27 00:06:12 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bsn436A3sp2P7z8aVE3t+myHhuF+Yj9MoqnNY5DuSUgaVriLa0nuB99QYrKPUgrkDYAh9JPqVazGn5YCMcvUrIj23aHVPuXj7SoD39DVsn9VlDNBOn7HV/u2LJOUAY7Pegrd90f5aNVrvNMq2dSll5MFXH3KWLgWh1dbtG3Inq8=

On 1/27/06, Barry Shein <[email protected]> wrote:
> Besides the obvious SMTP traffic this also generates a lot of DNS
> traffic. At this point the DNS traffic seems to be more of a nuisance
> probably because so many target hosts are retrying. At one point we
> were doing around 10K pkts/second in DNS traffic, very unusual.
>
> This has been going on for about a week.

At least some broken resolvers will keep re-querying you so see if you
cant throttle or rate limit dns queries from problem IPs for a while. 
That, and increase TTLs a bit.

As for the smtp -

* Dont accept email for catchall aliases - try to reject all you can
at the gateway

* Bounces and backscatter - RFC violation or not, accepting bounces
takes a backseat to keeping your mail system up and running.
TEMPORARILY turn off accepting mail from:<>, especially if you're
seeing far, far more bounce traffic to nonexistent addresses on your
site than valid bounces.

Long term - see if you can't use http://www.mipassoc.org/batv/
especially if all your users send email through your smtp server from
outside (say using AUTH) or ssh in and use pine / elm or whatever on
your shell servers.

>
> So where does one start. It seems a mother ship needs to be shut down
> somewhere, etc. Obviously ID'ing a miscreant would be a nice result.
>

You sure its just one botnet hitting you?  Shutting off a mothership
often means that the zombies become even more zombied and keep
pounding on your server long after the mothership is dead.

--srs

--
Suresh Ramasubramanian ([email protected])