[57069] in North American Network Operators' Group
Re: DNS dDos Attack!
daemon@ATHENA.MIT.EDU (Dan Armstrong)
Fri Mar 28 09:45:15 2003
Date: Fri, 28 Mar 2003 09:28:48 -0500
From: Dan Armstrong <dan@beanfield.com>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
Sorry, I lied. We are running 8.34Release
What I cannot figure out is why *our* name server is sending out ICMP
unreachables. The incoming dns queries are coming from random
destinations....
I have blocked icmp 3 incoming from that DMZ as not to overwhelm the CEF in
any other routers, but whoever is doing this has this name server at it's
knees.
Dan.
Eric Whitehill wrote:
> Dan:
>
> Can you updated your version of BIND and install some acls?
>
> -Eric
>
> On Fri, 28 Mar 2003, Dan Armstrong wrote:
>
> > Date: Fri, 28 Mar 2003 09:20:20 -0500
> > From: Dan Armstrong <dan@beanfield.com>
> > To: nanog@merit.edu
> > Subject: DNS dDos Attack!
> >
> >
> > I am sorry if this has come up before, but it seems that one of our name
> >
> > servers is under some sort of dDos attack. It seems to be receiving
> > millions of queries form spoofed IPs, and it is spending all of it's
> > time sending back icmp unreachables.
> >
> > It is running bind 4.31 under BSD 4.62STABLE
> >
> > Help!
> >
> > Thanks,
> > Dan.
> >
> >
