Sorry, I lied. We are running 8.34Release What I cannot figure out is why *our* name server is sending out ICMP unreachables. The incoming dns queries are coming from random destinations.... I have blocked icmp 3 incoming from that DMZ as not to overwhelm the CEF in any other routers, but whoever is doing this has this name server at it's knees. Dan. Eric Whitehill wrote:
Dan:
Can you updated your version of BIND and install some acls?
-Eric
On Fri, 28 Mar 2003, Dan Armstrong wrote:
Date: Fri, 28 Mar 2003 09:20:20 -0500 From: Dan Armstrong <dan@beanfield.com> To: nanog@merit.edu Subject: DNS dDos Attack!
I am sorry if this has come up before, but it seems that one of our name
servers is under some sort of dDos attack. It seems to be receiving millions of queries form spoofed IPs, and it is spending all of it's time sending back icmp unreachables.
It is running bind 4.31 under BSD 4.62STABLE
Help!
Thanks, Dan.
Dan, Might I suggest a few things. 1) If you truly want the nanog community to help, perhaps you wish to post the Ip being attacked as well as a series of sources, including the names of your upstreams involved as their security teams haven't helped you and that's the reason for the post. 2) You probally want to install an icmp rate-limit to help mitigate this attack. By saying CEF, I assume you are using a Cisco router. Here's a quick example: interface <foo> rate-limit input access-group 2000 1536000 200000 200000 conform-action transm it exceed-action drop access-list 2000 permit icmp any any That should drop the icmp down to around a T1s worth. - Jared On Fri, Mar 28, 2003 at 09:28:48AM -0500, Dan Armstrong wrote:
Sorry, I lied. We are running 8.34Release
What I cannot figure out is why *our* name server is sending out ICMP unreachables. The incoming dns queries are coming from random destinations....
I have blocked icmp 3 incoming from that DMZ as not to overwhelm the CEF in any other routers, but whoever is doing this has this name server at it's knees.
Dan.
Eric Whitehill wrote:
Dan:
Can you updated your version of BIND and install some acls?
-Eric
On Fri, 28 Mar 2003, Dan Armstrong wrote:
Date: Fri, 28 Mar 2003 09:20:20 -0500 From: Dan Armstrong <dan@beanfield.com> To: nanog@merit.edu Subject: DNS dDos Attack!
I am sorry if this has come up before, but it seems that one of our name
servers is under some sort of dDos attack. It seems to be receiving millions of queries form spoofed IPs, and it is spending all of it's time sending back icmp unreachables.
It is running bind 4.31 under BSD 4.62STABLE
Help!
Thanks, Dan.
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
--On Friday, March 28, 2003 09:28:48 AM -0500 Dan Armstrong <dan@beanfield.com> wrote:
Sorry, I lied. We are running 8.34Release
What I cannot figure out is why *our* name server is sending out ICMP unreachables. The incoming dns queries are coming from random destinations....
Are you sure the inbound attack packets are really valid queries, or are they responses? I ask because in the classic DDoS-via-nameservers attack, the victim will receive answers from a slew of other nameservers and send out ICMP unreachables. See http://www.cert.org/incident_notes/IN-2000-04.html Kevin
participants (3)
-
Dan Armstrong
-
Jared Mauch
-
Kevin Houle