Home page logo

nanog logo nanog mailing list archives

Re: ongoing DDoS...
From: Jason Frisvold <xenophage0 () gmail com>
Date: Thu, 26 Jan 2006 23:02:31 -0500

On 1/26/06, Barry Shein <bzs () world std com> wrote:
What I presume is a zombie army sending out gazillions of emails to
thousands of hosts out there (not ours) with a randomly generated
(usually) return/source address @ our domain(s). The target addresses
are usually also unknown so it just bounces back at us.

Some sort of a user check should mitigate most of this..  ie, drop at
the smtp level, don't bounce.

Besides the obvious SMTP traffic this also generates a lot of DNS
traffic. At this point the DNS traffic seems to be more of a nuisance
probably because so many target hosts are retrying. At one point we
were doing around 10K pkts/second in DNS traffic, very unusual.

10K/s is a lot..  I would expect a lot less..  Presumably the source
of the DNS requests would be another DNS server who should be caching
the result.

Try increasing the TTL for the "offending" records...  I see it's at
24 hours at the moment though.

Can you do some sniffing to determine the source of the lookups? 
Perhaps a broken dns server or two out there?

P.S. If you think "get a firewall": The problem traffic is coming from
legitimate hosts in the form of DNS+SMTP, not the bots (not to us
anyhow.) So not so simple, what's the filter?

Throttle on the gateway?  Specifically, throttle DNS traffic to start
if that's doing the most damage, and then throttle smtp if necessary..
Depend on the remote retry to handle any timeouts..

        -Barry Shein

Jason 'XenoPhage' Frisvold
XenoPhage0 () gmail com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]