isprime DOS in progress

Todd T. Fries nanog at email.fries.net
Tue Jan 20 14:55:14 CST 2009


You guys might want to be aware that isprime.com (I am not affiliated or
representing them, just passing on info since friends and I noticed this)
is actively under a DOS where lots of people's dns servers around the world
are being queried with bogus sourced dns requests not from port 53 for
'NS? .'.  This then bounces back to their authoritative nameservers which
are getting traffic overload.  They've asked that those of us that can
should block all but port 53 from the following two IP's (their dns
servers as seen on whois) so as not to block legitimate dns info:

	66.230.128.15
	66.230.160.1

Here is the response from their abuse department:


 To: todd at fries.net
 Subject: Re: dos info?
 From: ISPrime Support <support at isprime.com>
 Date: Tue, 20 Jan 2009 15:16:02 -0500 (EST)

 Hello,

 These are the result of a spoofed dns recursion attack against our servers. The actual packets in question (the ones reaching your servers) do NOT originate from our network as such there is no way for us to filter things from our end.

 If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these machines make legitimate outbound dns requests so an inbound filter of packets to udp/53 from either of these two sources is perfect.

 If you are receiving queries from 66.230.128.15/66.230.160.1 these servers are authoritative nameservers. Please do not blackhole either of these IPs as they host many domains. However, these IPs do not make outbound DNS requests so filtering requests to your IPs from these ips with a destination port of 53 should block any illegitimate requests.

 An ACL similar to:
 access-list 110 deny udp host 66.230.160.1 neq 53 any eq 53
 access-list 110 deny udp host 66.230.128.15 neq 53 any eq 53
 Is what you want.

 I would also suggest taking a look at the excellent CYMRU secure bind template (assuming you are running bind), to help you configure your nameservers so that you do not participate in this attack: http://www.cymru.com/Documents/secure-bind-template.html.

 Thanks for your help in mitigating this attack against us.
 
 Please let me know if I can be of further assistance.

 ISPrime Support
 support at isprime.com
 ICQ: 136633378

 On 2009-01-20, at 15:14:33, "Todd T. Fries" <todd at fries.net> wrote:
 > I was told to write here for your writeup on what to block and such
 > to help you guys out given the DOS that is ongoing.


Thanks,
-- 
Todd Fries .. todd at fries.net

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| "..in support of free software solutions."  \          250797 (FWD)
|                                             \
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Penned by Mike Lyon on 20090109 16:41.04, we have:
| If so, would you mind hitting me up offlist? I have a few questions that i
| am unable to get answered through normal channels.
| 
| Cheers,
| Mike




More information about the NANOG mailing list