Tracking the DNS amplification attacks (was: isprime DOS in progress)

Frank Bulk frnkblk at iname.com
Sat Jan 24 21:00:53 CST 2009


I would not recommend sucking in your dns log into array, rather, read line
by line and iterate over the file, line by line.

Frank

-----Original Message-----
From: Brian Keefer [mailto:chort at smtps.net] 
Sent: Saturday, January 24, 2009 6:50 PM
To: nanog at nanog.org
Subject: Tracking the DNS amplification attacks (was: isprime DOS in
progress)

Caveat:  my PERL is _terrible_.

http://www.smtps.net/pub/dns-amp-watch.pl

This assumes you're using BIND.  My logs roll on the hour, so I run it  
from cron at 1 minute before the hour.  Depending on how long it takes  
to process your logs, you might need to tweak.

--
bk
CA cert:  http://www.smtps.net/pub/smtps-dot-net-ca-2.pem






More information about the NANOG mailing list