Home page logo

nanog logo nanog mailing list archives

Re: ongoing DDoS...
From: Suresh Ramasubramanian <ops.lists () gmail com>
Date: Fri, 27 Jan 2006 10:35:01 +0530

On 1/27/06, Barry Shein <bzs () world std com> wrote:
Besides the obvious SMTP traffic this also generates a lot of DNS
traffic. At this point the DNS traffic seems to be more of a nuisance
probably because so many target hosts are retrying. At one point we
were doing around 10K pkts/second in DNS traffic, very unusual.

This has been going on for about a week.

At least some broken resolvers will keep re-querying you so see if you
cant throttle or rate limit dns queries from problem IPs for a while. 
That, and increase TTLs a bit.

As for the smtp -

* Dont accept email for catchall aliases - try to reject all you can
at the gateway

* Bounces and backscatter - RFC violation or not, accepting bounces
takes a backseat to keeping your mail system up and running.
TEMPORARILY turn off accepting mail from:<>, especially if you're
seeing far, far more bounce traffic to nonexistent addresses on your
site than valid bounces.

Long term - see if you can't use http://www.mipassoc.org/batv/
especially if all your users send email through your smtp server from
outside (say using AUTH) or ssh in and use pine / elm or whatever on
your shell servers.

So where does one start. It seems a mother ship needs to be shut down
somewhere, etc. Obviously ID'ing a miscreant would be a nice result.

You sure its just one botnet hitting you?  Shutting off a mothership
often means that the zombies become even more zombied and keep
pounding on your server long after the mothership is dead.


Suresh Ramasubramanian (ops.lists () gmail com)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]