Home page logo

nanog logo nanog mailing list archives

Re: isprime DOS in progress
From: Graeme Fowler <graeme () graemef net>
Date: Wed, 21 Jan 2009 19:32:14 +0000

On Wed, 2009-01-21 at 12:27 -0500, Phil Rosenthal wrote:
Representing ISPrime here.

Well... representing myself and nobody else, so if that stretches my
credibility thin so be it.

It's somewhat absurd to suggest that we are attacking our own  
nameservers, I assure you, we didn't spend many hours looking for your  
specific nameserver to start sending 10 requests per second for the  
root zone, and our nameservers serve many popular domains.

I just checked to make sure I did not make that assertion. I did not.

I observed something odd, and stated as much to see if anyone else did.
I apologise if you read my message as insinuating what you stated, but I
assure you that wasn't the intention.

I did say "maybe I'm being dumb", and that is indeed the answer - I
applied a temporary netfilter ruleset, then made it permanent - and it
switched the DROP and LOG statements round so that... the packet got
dropped first and the log statements never got hit. Schoolboy error (and
interesting that someone else has observed this behaviour before!)...

Normal service has been resumed. I should write a haiku here (sorry,
MLC, poor joke).

Given the attack is still in progress, I can't really say much more  
publicly, but suffice to say, we're working on the situation.

In a previous job I've been on the receiving end of similar attacks so I
have a large degree of understanding of the pressure you're under at the
moment. I wish you the best of luck sorting it out.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]