On 02/18/2014 07:59 PM, Joe Maimon wrote:
Doug Barton wrote:
On 02/18/2014 07:08 PM, Joe Maimon wrote:
Thousand of queries with thousands of source ip addresses.
Pardon if I missed a memo, but how are your resolver systems receiving these thousands of very different source addresses?
Doug
Thousands of queries _from_ thousands of source ip addresses
likely they are spoofed
Yes, got that bit. :) What I'm asking is, why are spoofed queries hitting your "different resolvers, routers with proxy turned on, etc.?" Are you running open resolvers? If so, please stop doing that, it's widely known to be a bad idea for over a decade now, and you are providing the bad guys a tool to use for DDOS attacks. If it's something else, please speak up. Regardless of the goal of this particular issue, the way to solve the root problem is to prevent the spoofed packets from getting to your servers in the first place. Doug