mailing list archives
isprime DOS in progress
From: "Todd T. Fries" <nanog () email fries net>
Date: Tue, 20 Jan 2009 14:55:14 -0600
You guys might want to be aware that isprime.com (I am not affiliated or
representing them, just passing on info since friends and I noticed this)
is actively under a DOS where lots of people's dns servers around the world
are being queried with bogus sourced dns requests not from port 53 for
'NS? .'. This then bounces back to their authoritative nameservers which
are getting traffic overload. They've asked that those of us that can
should block all but port 53 from the following two IP's (their dns
servers as seen on whois) so as not to block legitimate dns info:
Here is the response from their abuse department:
To: todd () fries net
Subject: Re: dos info?
From: ISPrime Support <support () isprime com>
Date: Tue, 20 Jan 2009 15:16:02 -0500 (EST)
These are the result of a spoofed dns recursion attack against our servers. The actual packets in question (the ones
reaching your servers) do NOT originate from our network as such there is no way for us to filter things from our end.
If you are receiving queries from 18.104.22.168/22.214.171.124 neither of these machines make legitimate outbound dns
requests so an inbound filter of packets to udp/53 from either of these two sources is perfect.
If you are receiving queries from 126.96.36.199/188.8.131.52 these servers are authoritative nameservers. Please do
not blackhole either of these IPs as they host many domains. However, these IPs do not make outbound DNS requests so
filtering requests to your IPs from these ips with a destination port of 53 should block any illegitimate requests.
An ACL similar to:
access-list 110 deny udp host 184.108.40.206 neq 53 any eq 53
access-list 110 deny udp host 220.127.116.11 neq 53 any eq 53
Is what you want.
I would also suggest taking a look at the excellent CYMRU secure bind template (assuming you are running bind), to
help you configure your nameservers so that you do not participate in this attack:
Thanks for your help in mitigating this attack against us.
Please let me know if I can be of further assistance.
support () isprime com
On 2009-01-20, at 15:14:33, "Todd T. Fries" <todd () fries net> wrote:
I was told to write here for your writeup on what to block and such
to help you guys out given the DOS that is ongoing.
Todd Fries .. todd () fries net
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| "..in support of free software solutions." \ 250797 (FWD)
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
Penned by Mike Lyon on 20090109 16:41.04, we have:
| If so, would you mind hitting me up offlist? I have a few questions that i
| am unable to get answered through normal channels.