[dns-operations] annoying DDoS attack on ns0.rfc1035.com
Jim Reid
jim at rfc1035.com
Sun Jun 10 08:45:11 UTC 2012
On 10 Jun 2012, at 09:19, DTNX Postmaster wrote:
> What type of queries?
ANY queries for ihren.org with no UDP checksum:
shaun# tcpdump -vv -n port 53
09:32:30.139803 IP (tos 0x0, ttl 251, id 24876, offset 0, flags
[none], proto UDP (17), length 66) 37.221.160.125.28832 >
93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT
UDPsize=9000 (38)
09:32:30.139806 IP (tos 0x0, ttl 251, id 24877, offset 0, flags
[none], proto UDP (17), length 66) 37.221.160.125.28832 >
93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT
UDPsize=9000 (38)
09:32:30.139929 IP (tos 0x0, ttl 251, id 24878, offset 0, flags
[none], proto UDP (17), length 66) 37.221.160.125.28832 >
93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT
UDPsize=9000 (38)
> The iptables rules mentioned in the first comment work well for us
Well for starters, I [dw]on't use Linux. The server runs FreeBSD.
Besides, the damage is done by the time these packets hit the server's
ethernet card. At ~4000qps inbound, this is close to saturating the
server's VLAN in the data centre. The traffic needs to be blocked
before it reaches that. I've hopefully got the offending addresses
blackholed by the name server now: don't know though if those
addresses were spoofed or not.
I posted here to see if anyone else is experiencing this behaviour or
can identify the root cause. DDoS attacks against "important" name
servers are fairly common. Could the bad guys now be picking easier
targets that may be more likely to fall over? And why pick on my name
server which has never done anyone any harm?
More information about the dns-operations
mailing list