[110968] in North American Network Operators' Group
RE: Tracking the DNS amplification attacks (was: isprime DOS in
daemon@ATHENA.MIT.EDU (Roger Marquis)
Sun Jan 25 00:33:32 2009
Date: Sat, 24 Jan 2009 21:33:21 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: nanog@nanog.org
In-Reply-To: <mailman.84658.1232852480.43406.nanog@nanog.org>
Cc: dns-operations@lists.oarci.net
Errors-To: nanog-bounces@nanog.org
Frank Bulk wrote:
> I would not recommend sucking in your dns log into array, rather, read line
> by line and iterate over the file, line by line.
Agreed. Python and Pytailer <http://code.google.com/p/pytailer/> are
particularly good tools for this application, running as a daemon and
implementing IP filters as needed.
This is all, however, treating symptoms. The root cause would be far
better fixed with a named patch implementing Chris Paul's recommendation to
NANOG back in August:
>Chris Paul wrote
>> Sorry if this is real stupid for some reason because I don't think about
>> DNS all day (I'm the ldap dude) but since we have faster networks and
>> faster cpus today, what would be the harm in switching to use TCP for
>> DNS clients? The latency on the web isn't dns anymore ever it seems to
>> me.....
>
> That's the best idea I've read so far. You wouldn't want to toggle
> protocols on the first mismatch, but maybe the 10th or 50th. Would also be
> worthwhile to factor in some rate limiting and an algorithm for timing the
> toggle-back. Stir in some simple statefulness via btree and voila.
Roger Marquis
