Search Again: Re: Possible DDoS Occurring Need Advice From: Jerry Pasker Date: Thursday, October 11, 2001 Time: 3:53:41 pm >At 4:05 PM -0500 10/11/01, Len Conrad wrote: >>>As well as replying to the list, please reply to my private email - >>>I really need help. >>> >>>Let's start from the premise that I wouldn't know what the logs of >>>a DDoS would look like - at best I am only speculating - so if >>>someone can confirm or deny what I'm seeing - I would GREATLY >>>appreciate it. >>> >>>In any event, I believe that we have come under some form of a DDoS attack. >>> >>>Begging this morning, our DNS servers have seen "Outstanding" at >>>200 and "Queries" at 6/sec >> >>I had some (being polite) idiot set up one of my BIND servers as his >>DNS's forwarder. I had recursive queries off but logging on, and >>had 150 megs of bind logging 2 lines per his denied query, plus bind >>was sending him a referral for each query. >> >>I use the BIND blackhole option on his ip, end of story. >> >> >>>The DNS logs show IP's that resolve from places all over >> >>but what ip do they come from? >> >>If somebody is really just DoSsing by flooding you with DNS UDP >>packets with spoofed source address, there really isn't much you can >>do to stop it. DoS's are a b!tch. >> >>Do you have recursion restricted to ip block you trust? With >>recursion off, at least you DNS won't waste its time doing the >>lookups but will just respond with a referral. > >Unfortunately, QuickDNS Server for Classic Mac OS doesn't support >this type of restriction. Michael, since you give numbers for queries >outstanding and queries/second, I'm guessing you're using QuickDNS >Server for Classic Mac OS. > >However, if you can figure out where these queries are coming from, >you can start denying their IP addresses at your router. > >Can you paste in some actual log entries so we can get a better idea >of what you're server is doing? >____________________________________________________________________ >Chris Buxton Men & Mice >cbuxton@menandmice.com Making DNS Easy I think he's seeing a bug that I saw a few weeks ago. Once in my primary DNS, and once in another 'hidden' DNS server I was running in temp activation key mode, to take load off the primary. (experiment, to see if I could make the primary more reliable by removing load) A reboot fixed it. The server gets all stupid, and answers things it's authoritative for, but doesn't know how to find the root servers, or do any form of recursive resolving reliably. It would do SOME resolving for SOME clients. It was strange. I've never seen this behavior, until I went to the latest version of DNS Pro for classic. If it was a DoS (and it wasn't), it would have had to come from internally, since the DNS server was only known to the clients that my dial-up servers were referring to it. The worst thing about it, is that my DNS monitoring tool didn't catch it, since the DNS server still did zones it's authoritative for (it's secondary for all my internal domains, but it's not used by the outside internet), without any problems. Sounds like just another bug. My logs didn't show much of anything going on. -Jerry

Messages In This Thread: Possible DDoS Occurring Need Advice by Michael Reaves on Oct 11, 2001 at 1:47:20 pm Re: Possible DDoS Occurring Need Advice by Len Conrad on Oct 11, 2001 at 2:06:47 pm Re: Possible DDoS Occurring Need Advice by Men & Mice Support on Oct 11, 2001 at 2:39:51 pm Re: Possible DDoS Occurring Need Advice by Jerry Pasker on Oct 11, 2001 at 3:53:41 pm Re: Possible DDoS Occurring Need Advice by Men & Mice Support on Oct 12, 2001 at 6:31:08 am Re: Possible DDoS Occurring Need Advice by Jerry Pasker on Oct 13, 2001 at 9:25:05 pm Re: Possible DDoS Occurring Need Advice by Chris Parker on Oct 15, 2001 at 9:24:58 am