[110889] in North American Network Operators' Group
RE: isprime DOS in progress
daemon@ATHENA.MIT.EDU (Justin Krejci)
Wed Jan 21 12:32:41 2009
From: "Justin Krejci" <jkrejci@usinternet.com>
To: "'Graeme Fowler'" <graeme@graemef.net>,
"'Nanog Mailing list'" <nanog@nanog.org>
Date: Wed, 21 Jan 2009 11:32:37 -0600
In-Reply-To: <1232557692.9593.57.camel@squonk.lboro.ac.uk>
Errors-To: nanog-bounces@nanog.org
-----Original Message-----
From: Graeme Fowler [mailto:graeme@graemef.net]
Sent: Wednesday, January 21, 2009 11:08 AM
To: Nanog Mailing list
Subject: Re: isprime DOS in progress
> I've been seeing a lot of noise from the latter two addresses after
> switching on query logging (and finishing an application of Team Cymru's
> excellent template) so I decided to DROP traffic from the addresses
> (with source port != 53) at the hosts in question.
> Well, blow me down if they didn't completely stop talking to me. Four
> dropped packets each, and they've gone away.
> Something smells "not quite right" here - if the traffic is spoofed, and
> my "Refused" responses have been flying right back to the *real* IP
> addresses, how are the spoofing hosts to know that I'm dropping the
> traffic?
>
> Even if I used a REJECT policy, I'd expect the ICMP messages to go back
> to the appropriate - as in real - hosts, rather than the spoofing
> sources.
>
> Something here is very odd, very odd indeed... or I'm being dumb. It's
> happened before.
>
> Graeme
In looking at my query logs I am seeing only requests from 66.230.160.1 and
66.230.128.15 so I've done the same thing with iptables and the rules are
resulting in an ever growing number of packets being dropped.
# iptables -nvL | grep -F -B 1 -A 1 66.230.160.1 | awk '{ print
$1,$2,$3,$8,$10,$11,$12 }'
pkts bytes target source
49517 2228K DROP 66.230.160.1 udp spt:!53 dpt:53
35905 1616K DROP 66.230.128.15 udp spt:!53 dpt:53
