Home page logo
/

nanog logo nanog mailing list archives

Re: ongoing DDoS...
From: Suresh Ramasubramanian <ops.lists () gmail com>
Date: Fri, 27 Jan 2006 10:35:01 +0530

On 1/27/06, Barry Shein <bzs () world std com> wrote:
Besides the obvious SMTP traffic this also generates a lot of DNS
traffic. At this point the DNS traffic seems to be more of a nuisance
probably because so many target hosts are retrying. At one point we
were doing around 10K pkts/second in DNS traffic, very unusual.

This has been going on for about a week.

At least some broken resolvers will keep re-querying you so see if you
cant throttle or rate limit dns queries from problem IPs for a while. 
That, and increase TTLs a bit.

As for the smtp -

* Dont accept email for catchall aliases - try to reject all you can
at the gateway

* Bounces and backscatter - RFC violation or not, accepting bounces
takes a backseat to keeping your mail system up and running.
TEMPORARILY turn off accepting mail from:<>, especially if you're
seeing far, far more bounce traffic to nonexistent addresses on your
site than valid bounces.

Long term - see if you can't use http://www.mipassoc.org/batv/
especially if all your users send email through your smtp server from
outside (say using AUTH) or ssh in and use pine / elm or whatever on
your shell servers.


So where does one start. It seems a mother ship needs to be shut down
somewhere, etc. Obviously ID'ing a miscreant would be a nice result.


You sure its just one botnet hitting you?  Shutting off a mothership
often means that the zombies become even more zombied and keep
pounding on your server long after the mothership is dead.

--srs

--
Suresh Ramasubramanian (ops.lists () gmail com)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault