[41409] in bugtraq
Re: DNS query spam
daemon@ATHENA.MIT.EDU (Alexander Lourier)
Tue Nov 29 22:51:57 2005
From: Alexander Lourier <aml@rulezz.ru>
To: bugtraq@securityfocus.com
Date: Tue, 29 Nov 2005 09:52:17 +0300
In-Reply-To: <Pine.LNX.4.63.0511272319350.14403@raq.ktd.krakow.pl>
MIME-Version: 1.0
Content-Type: multipart/signed;
boundary="nextPart5783433.nMLYZzqYj9";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200511290952.20230.aml@rulezz.ru>
--nextPart5783433.nMLYZzqYj9
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Monday 28 November 2005 01:30, Piotr Kamisiski wrote:
> Recently my DNS servers get jammed with bogus queries. The attacks come in
> series, taking a few minutes each, sometimes from different IPs at the
> same time, at least twice a day.
My DNS servers were attacked the similar way in the beginning of this year.=
=20
All queries were originated from a lot of sources. Senders of these packets=
=20
were not bogus obviously, because after firewalling incoming requests from=
=20
any of them, the rate of flooding became lower. All requests were made to o=
ne=20
of my domains.
Daily DNS traffic was about 400-500 Mb.
To automate the firewalling process I wrote a program, that sniffed DNS=20
traffic and automatically added to firewall DROP rules.
=2D-=20
Best regards. Alexander Lourier. http://aml.rulezz.ru
--nextPart5783433.nMLYZzqYj9
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBDi/qkN3YSiWvz6qMRAqemAKC8u/YkJ3GcW1z1E/FbpPsWSk4GowCgvTSE
1mxugZUEF1MfCV6D677yfLY=
=p6M0
-----END PGP SIGNATURE-----
--nextPart5783433.nMLYZzqYj9--
