[dns-operations] Tracking the DNS amplification attacks (was: isprime DOS in progress)

Roger Marquis marquis at roble.com
Sun Jan 25 05:33:21 UTC 2009


Frank Bulk wrote:
> I would not recommend sucking in your dns log into array, rather, read line
> by line and iterate over the file, line by line.

Agreed. Python and Pytailer <http://code.google.com/p/pytailer/> are
particularly good tools for this application, running as a daemon and
implementing IP filters as needed.

This is all, however, treating symptoms.  The root cause would be far
better fixed with a named patch implementing Chris Paul's recommendation to
NANOG back in August:

  >Chris Paul wrote
  >> Sorry if this is real stupid for some reason because I don't think about
  >> DNS all day (I'm the ldap dude) but since we have faster networks and
  >> faster cpus today, what would be the harm in switching to use TCP for
  >> DNS clients? The latency on the web isn't dns anymore ever it seems to
  >> me.....
  >
  > That's the best idea I've read so far. You wouldn't want to toggle
  > protocols on the first mismatch, but maybe the 10th or 50th. Would also be
  > worthwhile to factor in some rate limiting and an algorithm for timing the
  > toggle-back. Stir in some simple statefulness via btree and voila.

Roger Marquis



More information about the dns-operations mailing list