[dns-operations] annoying DDoS attack on ns0.rfc1035.com

DTNX Postmaster postmaster at dtnx.net
Sun Jun 10 09:30:18 UTC 2012 

On Jun 10, 2012, at 10:45, Jim Reid wrote:

> On 10 Jun 2012, at 09:19, DTNX Postmaster wrote:
> 
>> What type of queries?
> 
> ANY queries for ihren.org with no UDP checksum:
> 
> shaun# tcpdump -vv -n port 53
> 09:32:30.139803 IP (tos 0x0, ttl 251, id 24876, offset 0, flags [none], proto UDP (17), length 66) 37.221.160.125.28832 > 93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT UDPsize=9000 (38)
> 09:32:30.139806 IP (tos 0x0, ttl 251, id 24877, offset 0, flags [none], proto UDP (17), length 66) 37.221.160.125.28832 > 93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT UDPsize=9000 (38)
> 09:32:30.139929 IP (tos 0x0, ttl 251, id 24878, offset 0, flags [none], proto UDP (17), length 66) 37.221.160.125.28832 > 93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT UDPsize=9000 (38)

This is what our tcpdump looks like;

11:20:46.115011 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto UDP (17), length 63)
    184.105.175.202.30632 > amonhen.nickserf.nl.domain: [udp sum ok] 43127+ ANY? xxxxxxxxxxxxx.tld. (35)
11:20:47.093295 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto UDP (17), length 63)
    184.105.175.202.50833 > amonhen.nickserf.nl.domain: [udp sum ok] 37318+ ANY? xxxxxxxxxxxxx.tld. (35)
11:20:48.290580 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto UDP (17), length 63)
    184.105.175.202.30559 > amonhen.nickserf.nl.domain: [udp sum ok] 24439+ ANY? xxxxxxxxxxxxx.tld. (35)
11:20:48.582575 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto UDP (17), length 63)
    184.105.175.202.53576 > amonhen.nickserf.nl.domain: [udp sum ok] 18641+ ANY? xxxxxxxxxxxxx.tld. (35)
11:20:48.993361 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto UDP (17), length 63)
    184.105.175.202.58969 > amonhen.nickserf.nl.domain: [udp sum ok] 23014+ ANY? xxxxxxxxxxxxx.tld. (35)

(target domain obscured)


>> The iptables rules mentioned in the first comment work well for us
> 
> Well for starters, I [dw]on't use Linux. The server runs FreeBSD. Besides, the damage is done by the time these packets hit the server's ethernet card. At ~4000qps inbound, this is close to saturating the server's VLAN in the data centre. The traffic needs to be blocked before it reaches that. I've hopefully got the offending addresses blackholed by the name server now: don't know though if those addresses were spoofed or not.

I wasn't assuming you are using the same platform, just sharing our 
experiences of the past week :-)  Perhaps it's possible to implement a 
similar rule in IPFW/PF/IPF?

That way you at least won't be responding to the queries, and dropping 
the packets should lighten the load?

Cya,
Jona

More information about the dns-operations mailing list