[143111] in North American Network Operators' Group
Re: DNS DoS ???
daemon@ATHENA.MIT.EDU (Stefan Fouant)
Fri Jul 29 15:00:02 2011
In-Reply-To: <CACRGtSOSPm12YE3S=n801ooun32VrXsRfP7yqO55kcHMSnss9A@mail.gmail.com>
From: Stefan Fouant <sfouant@shortestpathfirst.net>
Date: Fri, 29 Jul 2011 15:02:51 -0400
To: Elliot Finley <efinley.lists@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Ping me offline, there are a few other folks who have seen this as well. Th=
e isc.org record is commonly used in reflection attacks because the size of t=
he record is so large, so the amplification factor is greatly increased. Ca=
n you check to see if +edns=3D0 was set in the query? That would be a sure s=
ign this is related to what others have seen...
Sorry for the top post, I'm on my iPad.
Stefan Fouant
JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant
Sent from my iPad
On Jul 29, 2011, at 2:51 PM, Elliot Finley <efinley.lists@gmail.com> wrote:
> my DNS servers were getting slow so I blocked recursive queries for
> all but my own network.
>=20
> Then I was getting so many of these:
>=20
> ns2 named[5056]: client 78.159.111.190#25345: query (cache)
> 'isc.org/ANY/IN' denied
>=20
> that is was still slowing things down. I've since written a script to
> watch the log and throw these into the box local firewall. If I
> expire the entries after 24 hours then I accumulate about 10200 unique
> IPs. If I expire after 48 hours, then it's just over 20000 unique
> IPs.
>=20
> Is anyone else seeing this?
>=20
> Elliot
>=20
