Hi All - Thanks for all the great responses. I'm glad to hear I'm not the only one seeing this type of activity!<br><br>@Paul - Yes, I read about RRL on this list before, but like Mohamed, I'm not using BIND. (We're running TinyDNS)<br>
<br>@Hauke - In our case, all the requests are for domains we are authoritative for and the domains are not related (different customers domains being hit) and there is no apparent increase in the number of non-existent record queries in our logs. This would indicating the attacker has done their homework, only sending in requests they know we will have an answer for; ensuring maximum "reflection".<br>
<br><br>For anyone using the iptables solution posted in the link of my original email, I had to tweak a few settings to get things working just right on our setup:<br><br>1. I reduced the timers to --seconds 10 as our servers are too busy for a 60 second timeout, given the modules default "addresses to remember" limit of 100 (ip_list_tot=100)<br>
<br>2. Requests with shorter domain names seemed to be getting by the filtering, pushing the start of the 0000FF0001 fingerprint to before the starting match point of 50. Changing the start point to 47 fixed this for us.<br>
<br><br>The other interesting thing I noticed about the attack packets, is that the source port and transaction ID are transposed. This could be used to finger print the abusive packets. Here's a few lines from our TinyDNS log (domain names removed and time-codes converted to a reader friendly format): <br>
<br><span style="font-family:courier new,monospace">2012-09-11 04:19:56.006172500 7115dd15:1ca3:a31c + 00ff<br>2012-09-11 04:19:56.010172500 7115dd15:b571:71b5 + 00ff<br>2012-09-11 04:19:56.014172500 7115dd15:9cd1:d19c + 00ff<br>
2012-09-11 04:19:56.026172500 7115dd15:538a:8a53 + 00ff<br>2012-09-11 04:19:56.026172500 7115dd15:6fa5:a56f + 00ff<br>2012-09-11 04:19:56.042173500 7115dd15:40ac:ac40 + 00ff<br>2012-09-11 04:19:56.066173500 7115dd15:6fa5:a56f + 00ff<br>
2012-09-11 04:19:56.066173500 7115dd15:6e38:386e + 00ff<br>2012-09-11 04:19:56.074173500 7115dd15:9729:2997 + 00ff<br>2012-09-11 04:19:56.082173500 7115dd15:c6df:dfc6 + 00ff</span><br><br>The three sets of hex separated by colons represent <span style="font-family:courier new,monospace">Source IP:Source Port:Transaction ID </span>(tinydns log file format is explained here: <a href="http://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html">http://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html</a> ) <br>
<br>Looking at the last line for example shows: source port: <span style="font-family:courier new,monospace">c6df<span style="font-family:arial,helvetica,sans-serif"> and its inverse ID:</span> dfc6<br><br></span>Anyone else seeing this behaviour in their logs?<br>
<br>Thanks,<br><br>-Rob<span style="font-family:courier new,monospace"><br><br></span>