isprime DOS in progress
Mark_Andrews at isc.org
Fri Jan 23 18:00:21 CST 2009
In message <9A251497-E94C-4693-8E89-3FD3ACF6D138 at stupendous.net>, Nathan Ollere
> On 24/01/2009, at 6:46 AM, Steven Lisson wrote:
> > Hi,
> > I agree with seeing no traffic to/from 220.127.116.11 but am still
> > seeing flows 'from' 18.104.22.168
> > Regards,
> > Steve
> Hi Steve,
> There is at least an iptables rule you can use to drop this specific
> query, assuming your nameservers run linux.
> The bind-users mailing list suggested having the ISPs trace back the
> flows and find the networks emitting the spoofed packets, and have
> those networks implement BCP 38.
It was also said here.
> While that's the 'right' solution
> (everyone should be doing ingress filtering, sure, impossible to argue
> against it), not every network out there is operated by people who
> give a damn.
I would suggest that you don't want to peer with such
I would suggest that deploying BCP 38 be a requirement for
> This will work at least until the kiddies improve their scripts to
> query for names that actually exist.
> On 24/01/2009, at 8:21 AM, Chris McDonald wrote:
> > We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do
> > the same :/
> Good luck with that. Right now they're targetting ISPrime, and you've
> just made the DoS even more effective for them. With any luck, the
> rest of the world will follow suit and the bad guys win! yay! :)
> Short of getting the rest of the world to properly implement ingress
> filtering (ha, ha), I think dropping the specific packets that
> generate the reflected traffic is good enough for now. The load on the
> reflectors is minimal.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the NANOG