[143115] in North American Network Operators' Group
RE: DNS DoS ???
daemon@ATHENA.MIT.EDU (Blake T. Pfankuch)
Fri Jul 29 17:33:37 2011
From: "Blake T. Pfankuch" <blake@pfankuch.me>
To: Drew Weaver <drew.weaver@thenap.com>, 'Elliot Finley'
<efinley.lists@gmail.com>, "nanog@nanog.org" <nanog@nanog.org>
Date: Fri, 29 Jul 2011 21:33:27 +0000
In-Reply-To: <F3318834F1F89D46857972DD4B411D700520368F2B@exchange>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I've seen this for the same on about 3 sets of nameservers I operate. fail=
2ban doing a 72 hour iptables drop rule.
-----Original Message-----
From: Drew Weaver [mailto:drew.weaver@thenap.com]=20
Sent: Friday, July 29, 2011 3:01 PM
To: 'Elliot Finley'; nanog@nanog.org
Subject: RE: DNS DoS ???
We've been seeing this for several years on and off.
thanks,
-Drew
-----Original Message-----
From: Elliot Finley [mailto:efinley.lists@gmail.com]
Sent: Friday, July 29, 2011 2:51 PM
To: nanog@nanog.org
Subject: DNS DoS ???
my DNS servers were getting slow so I blocked recursive queries for all but=
my own network.
Then I was getting so many of these:
ns2 named[5056]: client 78.159.111.190#25345: query (cache) 'isc.org/ANY/IN=
' denied
that is was still slowing things down. I've since written a script to watc=
h the log and throw these into the box local firewall. If I expire the ent=
ries after 24 hours then I accumulate about 10200 unique IPs. If I expire =
after 48 hours, then it's just over 20000 unique IPs.
Is anyone else seeing this?
Elliot
