isprime DOS in progress
Mark Andrews
Mark_Andrews at isc.org
Sat Jan 24 00:00:21 UTC 2009
In message <9A251497-E94C-4693-8E89-3FD3ACF6D138 at stupendous.net>, Nathan Ollere
nshaw writes:
> On 24/01/2009, at 6:46 AM, Steven Lisson wrote:
>
> > Hi,
> >
> > I agree with seeing no traffic to/from 66.230.128.15 but am still
> > seeing flows 'from' 66.230.160.1
> >
> > Regards,
> > Steve
>
> Hi Steve,
>
> There is at least an iptables rule you can use to drop this specific
> query, assuming your nameservers run linux.
>
> http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursiv
> e-queries/
>
> The bind-users mailing list suggested having the ISPs trace back the
> flows and find the networks emitting the spoofed packets, and have
> those networks implement BCP 38.
It was also said here.
> While that's the 'right' solution
> (everyone should be doing ingress filtering, sure, impossible to argue
> against it), not every network out there is operated by people who
> give a damn.
I would suggest that you don't want to peer with such
networks.
I would suggest that deploying BCP 38 be a requirement for
peering.
> This will work at least until the kiddies improve their scripts to
> query for names that actually exist.
>
> On 24/01/2009, at 8:21 AM, Chris McDonald wrote:
>
> > We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do
> > the same :/
>
> Good luck with that. Right now they're targetting ISPrime, and you've
> just made the DoS even more effective for them. With any luck, the
> rest of the world will follow suit and the bad guys win! yay! :)
>
> Short of getting the rest of the world to properly implement ingress
> filtering (ha, ha), I think dropping the specific packets that
> generate the reflected traffic is good enough for now. The load on the
> reflectors is minimal.
>
> Nathan.
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the NANOG
mailing list