isprime DOS in progress
Todd T. Fries
nanog at email.fries.net
Tue Jan 20 14:55:14 CST 2009
You guys might want to be aware that isprime.com (I am not affiliated or
representing them, just passing on info since friends and I noticed this)
is actively under a DOS where lots of people's dns servers around the world
are being queried with bogus sourced dns requests not from port 53 for
'NS? .'. This then bounces back to their authoritative nameservers which
are getting traffic overload. They've asked that those of us that can
should block all but port 53 from the following two IP's (their dns
servers as seen on whois) so as not to block legitimate dns info:
Here is the response from their abuse department:
To: todd at fries.net
Subject: Re: dos info?
From: ISPrime Support <support at isprime.com>
Date: Tue, 20 Jan 2009 15:16:02 -0500 (EST)
These are the result of a spoofed dns recursion attack against our servers. The actual packets in question (the ones reaching your servers) do NOT originate from our network as such there is no way for us to filter things from our end.
If you are receiving queries from 18.104.22.168/22.214.171.124 neither of these machines make legitimate outbound dns requests so an inbound filter of packets to udp/53 from either of these two sources is perfect.
If you are receiving queries from 126.96.36.199/188.8.131.52 these servers are authoritative nameservers. Please do not blackhole either of these IPs as they host many domains. However, these IPs do not make outbound DNS requests so filtering requests to your IPs from these ips with a destination port of 53 should block any illegitimate requests.
An ACL similar to:
access-list 110 deny udp host 184.108.40.206 neq 53 any eq 53
access-list 110 deny udp host 220.127.116.11 neq 53 any eq 53
Is what you want.
I would also suggest taking a look at the excellent CYMRU secure bind template (assuming you are running bind), to help you configure your nameservers so that you do not participate in this attack: http://www.cymru.com/Documents/secure-bind-template.html.
Thanks for your help in mitigating this attack against us.
Please let me know if I can be of further assistance.
support at isprime.com
On 2009-01-20, at 15:14:33, "Todd T. Fries" <todd at fries.net> wrote:
> I was told to write here for your writeup on what to block and such
> to help you guys out given the DOS that is ongoing.
Todd Fries .. todd at fries.net
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| "..in support of free software solutions." \ 250797 (FWD)
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
Penned by Mike Lyon on 20090109 16:41.04, we have:
| If so, would you mind hitting me up offlist? I have a few questions that i
| am unable to get answered through normal channels.
More information about the NANOG