[110973] in North American Network Operators' Group
Re: Tracking the DNS amplification attacks (was: isprime DOS in
daemon@ATHENA.MIT.EDU (James Hess)
Sun Jan 25 04:25:16 2009
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADKmUdbrpmRTrsB82N9UjfvAQAAAAA=@iname.com>
Date: Sun, 25 Jan 2009 03:23:05 -0600
From: James Hess <mysidia@gmail.com>
To: Frank Bulk <frnkblk@iname.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Sat, Jan 24, 2009 at 9:00 PM, Frank Bulk <frnkblk@iname.com> wrote:
> I would not recommend sucking in your dns log into array, rather, read line
> by line and iterate over the file, line by line.
>
> Frank
True.. reading into an array can get a bit nasty, if your server logs
are a few gigabytes in size.
Could use C, also...
http://pastebin.com/f4c2ff010
Scanning your logs after the fact is definitely not as good as
separating DNS servers that
are authoritative for zones and picking nameserver software such as
TinyDNS or similar options
for authoritative DNS usage that won't respond to queries for the
root or other zones the DNS
server is not directed to be used for,
and using acls/firewalls to prevent outside queries against other DNS
servers that aren't
delegated zones.
It's a bit difficult to apply a BIND patch that doesn't exist yet in
vendor-supplied implementations
of BIND, at least..
--
-J
