 |  |
Re: Possible DDoS Occurring Need Advice
From: Len Conrad
Date: Thursday, October 11, 2001
Time: 2:06:47 pm
>As well as replying to the list, please reply to my private email - I
>really need help.
>
>Let's start from the premise that I wouldn't know what the logs of a DDoS
>would look like - at best I am only speculating - so if someone can
>confirm or deny what I'm seeing - I would GREATLY appreciate it.
>
>In any event, I believe that we have come under some form of a DDoS attack.
>
>Begging this morning, our DNS servers have seen "Outstanding" at 200 and
>"Queries" at 6/sec
I had some (being polite) idiot set up one of my BIND servers as his DNS's
forwarder. I had recursive queries off but logging on, and had 150 megs of
bind logging 2 lines per his denied query, plus bind was sending him a
referral for each query.
I use the BIND blackhole option on his ip, end of story.
>The DNS logs show IP's that resolve from places all over
but what ip do they come from?
If somebody is really just DoSsing by flooding you with DNS UDP packets
with spoofed source address, there really isn't much you can do to stop
it. DoS's are a b!tch.
Do you have recursion restricted to ip block you trust? With recursion
off, at least you DNS won't waste its time doing the lookups but will just
respond with a referral.
Len
___________________________________________________________________
Men & Mice: QuickDNS - DNS Expert - DNS Training - DNS Consulting
DNS Classes: Toronto 10/18-19, Fairfax VA 10/35-26, Frankfurt 11/21-23
London 11/26-28, Maidenhead 10/31-11/2
http://MenAndMice.com/DNS-training
Messages In This Thread:
Return to Digital Point Solutions' Home Page
| home | |
| products | |
| services | |
| support | |
| email lists |
| optigold isp | |
| optigold isp news | |
| home inspection | |
| inspectrix | |
| java companion | |
| oracle | |
| quickdns pro | |
| search engine | |
| veterinary |
| tips | |
| employees | |
| free tools | |
| portfolio | |
| jobs | |
| contact |
888/4-DPOINTSupport:
858/452-3696