Search Again: Re: Possible DDoS Occurring Need Advice From: Men & Mice Support Date: Thursday, October 11, 2001 Time: 2:39:51 pm At 4:05 PM -0500 10/11/01, Len Conrad wrote: >>As well as replying to the list, please reply to my private email - >>I really need help. >> >>Let's start from the premise that I wouldn't know what the logs of >>a DDoS would look like - at best I am only speculating - so if >>someone can confirm or deny what I'm seeing - I would GREATLY >>appreciate it. >> >>In any event, I believe that we have come under some form of a DDoS attack. >> >>Begging this morning, our DNS servers have seen "Outstanding" at >>200 and "Queries" at 6/sec > >I had some (being polite) idiot set up one of my BIND servers as his >DNS's forwarder. I had recursive queries off but logging on, and >had 150 megs of bind logging 2 lines per his denied query, plus bind >was sending him a referral for each query. > >I use the BIND blackhole option on his ip, end of story. > > >>The DNS logs show IP's that resolve from places all over > >but what ip do they come from? > >If somebody is really just DoSsing by flooding you with DNS UDP >packets with spoofed source address, there really isn't much you can >do to stop it. DoS's are a b!tch. > >Do you have recursion restricted to ip block you trust? With >recursion off, at least you DNS won't waste its time doing the >lookups but will just respond with a referral. Unfortunately, QuickDNS Server for Classic Mac OS doesn't support this type of restriction. Michael, since you give numbers for queries outstanding and queries/second, I'm guessing you're using QuickDNS Server for Classic Mac OS. However, if you can figure out where these queries are coming from, you can start denying their IP addresses at your router. Can you paste in some actual log entries so we can get a better idea of what you're server is doing? ____________________________________________________________________ Chris Buxton Men & Mice cbuxton@menandmice.com Making DNS Easy

Messages In This Thread: Possible DDoS Occurring Need Advice by Michael Reaves on Oct 11, 2001 at 1:47:20 pm Re: Possible DDoS Occurring Need Advice by Len Conrad on Oct 11, 2001 at 2:06:47 pm Re: Possible DDoS Occurring Need Advice by Men & Mice Support on Oct 11, 2001 at 2:39:51 pm Re: Possible DDoS Occurring Need Advice by Jerry Pasker on Oct 11, 2001 at 3:53:41 pm Re: Possible DDoS Occurring Need Advice by Men & Mice Support on Oct 12, 2001 at 6:31:08 am Re: Possible DDoS Occurring Need Advice by Jerry Pasker on Oct 13, 2001 at 9:25:05 pm Re: Possible DDoS Occurring Need Advice by Chris Parker on Oct 15, 2001 at 9:24:58 am