isprime DOS in progress

Justin Krejci jkrejci at
Wed Jan 21 17:32:37 UTC 2009

-----Original Message-----
From: Graeme Fowler [mailto:graeme at] 
Sent: Wednesday, January 21, 2009 11:08 AM
To: Nanog Mailing list
Subject: Re: isprime DOS in progress

> I've been seeing a lot of noise from the latter two addresses after
> switching on query logging (and finishing an application of Team Cymru's
> excellent template) so I decided to DROP traffic from the addresses
> (with source port != 53) at the hosts in question.

> Well, blow me down if they didn't completely stop talking to me. Four
> dropped packets each, and they've gone away.

> Something smells "not quite right" here - if the traffic is spoofed, and
> my "Refused" responses have been flying right back to the *real* IP
> addresses, how are the spoofing hosts to know that I'm dropping the
> traffic?
> Even if I used a REJECT policy, I'd expect the ICMP messages to go back
> to the appropriate - as in real - hosts, rather than the spoofing
> sources.
> Something here is very odd, very odd indeed... or I'm being dumb. It's
> happened before.
> Graeme

In looking at my query logs I am seeing only requests from and so I've done the same thing with iptables and the rules are
resulting in an ever growing number of packets being dropped.

# iptables -nvL | grep -F -B 1 -A 1 | awk '{ print
$1,$2,$3,$8,$10,$11,$12 }'

pkts  bytes target source
49517 2228K DROP udp spt:!53 dpt:53
35905 1616K DROP udp spt:!53 dpt:53

More information about the NANOG mailing list