Home page logo

nanog logo nanog mailing list archives

Re: isprime DOS in progress
From: Graeme Fowler <graeme () graemef net>
Date: Wed, 21 Jan 2009 17:08:12 +0000

On Tue, 2009-01-20 at 14:55 -0600, Todd T. Fries forwarded:
 From: ISPrime Support <support () isprime com>
 These are the result of a spoofed dns recursion attack against our servers. The actual packets in question (the ones 
reaching your servers) do NOT originate from our network as such there is no way for us to filter things from our end.
 If you are receiving queries from neither of these machines make legitimate outbound dns 
requests so an inbound filter of packets to udp/53 from either of these two sources is perfect.
 If you are receiving queries from these servers are authoritative nameservers. Please do 
not blackhole either of these IPs as they host many domains. However, these IPs do not make outbound DNS requests so 
filtering requests to your IPs from these ips with a destination port of 53 should block any illegitimate requests.

I've been seeing a lot of noise from the latter two addresses after
switching on query logging (and finishing an application of Team Cymru's
excellent template) so I decided to DROP traffic from the addresses
(with source port != 53) at the hosts in question.

Well, blow me down if they didn't completely stop talking to me. Four
dropped packets each, and they've gone away.

Something smells "not quite right" here - if the traffic is spoofed, and
my "Refused" responses have been flying right back to the *real* IP
addresses, how are the spoofing hosts to know that I'm dropping the

Even if I used a REJECT policy, I'd expect the ICMP messages to go back
to the appropriate - as in real - hosts, rather than the spoofing

Something here is very odd, very odd indeed... or I'm being dumb. It's
happened before.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]