isprime DOS in progress

Mark Andrews Mark_Andrews at isc.org
Sat Jan 24 00:00:21 UTC 2009


In message <9A251497-E94C-4693-8E89-3FD3ACF6D138 at stupendous.net>, Nathan Ollere
nshaw writes:
> On 24/01/2009, at 6:46 AM, Steven Lisson wrote:
> 
> > Hi,
> >
> > I agree with seeing no traffic to/from 66.230.128.15 but am still  
> > seeing flows 'from' 66.230.160.1
> >
> > Regards,
> > Steve
> 
> Hi Steve,
> 
> There is at least an iptables rule you can use to drop this specific  
> query, assuming your nameservers run linux.
> 
> http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursiv
> e-queries/
> 
> The bind-users mailing list suggested having the ISPs trace back the  
> flows and find the networks emitting the spoofed packets, and have  
> those networks implement BCP 38.

	It was also said here.

> While that's the 'right' solution  
> (everyone should be doing ingress filtering, sure, impossible to argue  
> against it), not every network out there is operated by people who  
> give a damn.

	I would suggest that you don't want to peer with such
	networks.

	I would suggest that deploying BCP 38 be a requirement for
	peering.
 
> This will work at least until the kiddies improve their scripts to  
> query for names that actually exist.
> 
> On 24/01/2009, at 8:21 AM, Chris McDonald wrote:
> 
> > We [AS3491] null0'd the IP earlier.  Rest-of-world encouraged to do  
> > the same :/
> 
> Good luck with that. Right now they're targetting ISPrime, and you've  
> just made the DoS even more effective for them. With any luck, the  
> rest of the world will follow suit and the bad guys win! yay! :)
> 
> Short of getting the rest of the world to properly implement ingress  
> filtering (ha, ha), I think dropping the specific packets that  
> generate the reflected traffic is good enough for now. The load on the  
> reflectors is minimal.
> 
> Nathan.
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org




More information about the NANOG mailing list