-----Original Message----- From: Graeme Fowler [mailto:graeme@graemef.net] Sent: Wednesday, January 21, 2009 11:08 AM To: Nanog Mailing list Subject: Re: isprime DOS in progress
I've been seeing a lot of noise from the latter two addresses after switching on query logging (and finishing an application of Team Cymru's excellent template) so I decided to DROP traffic from the addresses (with source port != 53) at the hosts in question.
Well, blow me down if they didn't completely stop talking to me. Four dropped packets each, and they've gone away.
Something smells "not quite right" here - if the traffic is spoofed, and my "Refused" responses have been flying right back to the *real* IP addresses, how are the spoofing hosts to know that I'm dropping the traffic?
Even if I used a REJECT policy, I'd expect the ICMP messages to go back to the appropriate - as in real - hosts, rather than the spoofing sources.
Something here is very odd, very odd indeed... or I'm being dumb. It's happened before.
Graeme
In looking at my query logs I am seeing only requests from 66.230.160.1 and 66.230.128.15 so I've done the same thing with iptables and the rules are resulting in an ever growing number of packets being dropped. # iptables -nvL | grep -F -B 1 -A 1 66.230.160.1 | awk '{ print $1,$2,$3,$8,$10,$11,$12 }' pkts bytes target source 49517 2228K DROP 66.230.160.1 udp spt:!53 dpt:53 35905 1616K DROP 66.230.128.15 udp spt:!53 dpt:53