[dns-operations] annoying DDoS attack on ns0.rfc1035.com

Paul J. Smith pjsmith at mtgsy.net
Sun Jun 10 10:05:19 UTC 2012

You need to respond to ANY's if you want mail delivery to your domains.  There are some popular mail servers out there that don't send MX requests, only ANY to find out where to deliver email to.  

Rate limiting is the way to go and stops it dead.  Whilst you still get lots of requests, they drop off quicker and your outbound traffic is eliminated.  It's worked very well for us and the CN ANY attacks going on for the last few months.

-----Original Message-----
From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Dobbins, Roland
Sent: 10 June 2012 09:59
To: DNS Operations List
Subject: Re: [dns-operations] annoying DDoS attack on ns0.rfc1035.com

On Jun 10, 2012, at 3:45 PM, Jim Reid wrote:

> And why pick on my name server which has never done anyone any harm?

They're just looking for ANY records, there's no rhyme or reason to it.  They're spoofing the IP address of the target they're attacking - they're using your server for reflection/amplification.

Do you really need to respond to ANY queries - especially when your servers are being abused?

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

dns-operations mailing list
dns-operations at lists.dns-oarc.net
dns-jobs mailing list

More information about the dns-operations mailing list