Search Again: Re: Our DNS was spammed. From: Len Conrad Date: Wednesday, December 12, 2001 Time: 4:50:00 pm >We just received our monthly Internet bill and it was suprisingly huge. >After some investigation, it turned out our DNS server, QuickDNS 2.2.3, >had been hit by millions of queries, racking up 3Gig of incoming traffic >in a month. >Now, we're a small office and perhaps 30 computers should directly use the >DNS server. There was an advantage of being able to manage our own domain >names, but perhaps we should surrender the job to an ISP. > >ANYWAY, the first question is Why? not why, but how? you had recursion enabled for INternet, is my bet >Why would we be attacked this way? you weren't necessarily "attacked", somebody just robbed your DNS resources. your DNS obviously weren't DoS'ed by this robbing, or you would have noticed the lack of DNS service for yourself. >The second question is How to Stop It? restrict recursion to your LAN ip blocks. (see below, this is not a perfectly tight solution) > Can I set filters so only our office can access it. I know this is > complicated by our DNS server needing to be accessable by other DNS servers. DNS servers send each other interative queries, not recursive queries. Maybe somebody set up their DNS(s) to forward to yours. THAT can generate a lot of traffic fast, vs random individuals using you as their DNS. In the "forwarder" case above, even if you have recursion off, remote DNS(s) could still set up as a forwarder, send you their queries (traffic). Your DNS returns a referral for each one(traffic), which would also generate a huge amt of traffic. The referrals to the forwarding DNS would be useless, but mayhe they didn't care, and just wanted to attack you by running up the bandwidth charges. you don't have any trace of DNS activity?? Len ___________________________________________________________________ Men & Mice: QuickDNS - DNS Expert - DNS Training - DNS Consulting DNS Classes: Toronto 10/18-19, Fairfax VA 10/35-26, Frankfurt 11/21-23 London 11/26-28, Maidenhead 10/31-11/2 http://MenAndMice.com/DNS-training

Messages In This Thread: Our DNS was spammed. by Greg McPherson on Dec 12, 2001 at 4:31:05 pm Re: Our DNS was spammed. by David M. Dantowitz on Dec 12, 2001 at 4:39:09 pm Re: Our DNS was spammed. by Mia''s Virtual Post Office on Dec 12, 2001 at 4:45:03 pm Re: Our DNS was spammed. by Mia''s Virtual Post Office on Dec 12, 2001 at 4:47:55 pm Re: Our DNS was spammed. by Len Conrad on Dec 12, 2001 at 4:50:00 pm Re: Our DNS was spammed. by Men & Mice Support on Dec 12, 2001 at 7:24:24 pm Re: Our DNS was spammed. by David M. Dantowitz on Dec 12, 2001 at 8:18:00 pm Re: Our DNS was spammed. by Men & Mice Support on Dec 12, 2001 at 10:04:44 pm Re: Our DNS was spammed. by Greg McPherson on Dec 19, 2001 at 5:36:51 pm Re: Our DNS was spammed. by Men & Mice Support on Dec 19, 2001 at 5:47:09 pm