[dns-operations] annoying DDoS attack on ns0.rfc1035.com

Paul Vixie paul at redbarn.org
Sun Jun 10 05:34:51 UTC 2012


On 2012-06-10 5:10 AM, Jim Reid wrote:
> My name server has been getting hammered with queries for ihren.org --
> one of the zones it serves -- since around 00:00 GMT today. [The
> attack may have started earlier and I just didn't notice it.] The box
> is getting ~400 qps for this name. The queries come from the same IP
> address, just repeating over and over. The source port number changes
> after 25 queries or so. As soon as I get BIND to blackhole the
> offending prefix, another host pops up to take its place: repeated
> queries at with a broken UDP checksum from a single IP address at a time.

can i interest you in an experimental (thus far) patch to implement
per-{client,response} rate limiting in bind?




More information about the dns-operations mailing list