[dns-operations] Tracking the DNS amplification attacks (was: isprime DOS in progress)
Roger Marquis
marquis at roble.com
Sun Jan 25 05:33:21 UTC 2009
Frank Bulk wrote:
> I would not recommend sucking in your dns log into array, rather, read line
> by line and iterate over the file, line by line.
Agreed. Python and Pytailer <http://code.google.com/p/pytailer/> are
particularly good tools for this application, running as a daemon and
implementing IP filters as needed.
This is all, however, treating symptoms. The root cause would be far
better fixed with a named patch implementing Chris Paul's recommendation to
NANOG back in August:
>Chris Paul wrote
>> Sorry if this is real stupid for some reason because I don't think about
>> DNS all day (I'm the ldap dude) but since we have faster networks and
>> faster cpus today, what would be the harm in switching to use TCP for
>> DNS clients? The latency on the web isn't dns anymore ever it seems to
>> me.....
>
> That's the best idea I've read so far. You wouldn't want to toggle
> protocols on the first mismatch, but maybe the 10th or 50th. Would also be
> worthwhile to factor in some rate limiting and an algorithm for timing the
> toggle-back. Stir in some simple statefulness via btree and voila.
Roger Marquis
More information about the dns-operations
mailing list