Home page logo

nanog logo nanog mailing list archives

Re: isprime DOS in progress
From: Mark Andrews <Mark_Andrews () isc org>
Date: Sat, 24 Jan 2009 11:00:21 +1100

In message <9A251497-E94C-4693-8E89-3FD3ACF6D138 () stupendous net>, Nathan Ollere
nshaw writes:
On 24/01/2009, at 6:46 AM, Steven Lisson wrote:


I agree with seeing no traffic to/from but am still  
seeing flows 'from'


Hi Steve,

There is at least an iptables rule you can use to drop this specific  
query, assuming your nameservers run linux.


The bind-users mailing list suggested having the ISPs trace back the  
flows and find the networks emitting the spoofed packets, and have  
those networks implement BCP 38.

        It was also said here.

While that's the 'right' solution  
(everyone should be doing ingress filtering, sure, impossible to argue  
against it), not every network out there is operated by people who  
give a damn.

        I would suggest that you don't want to peer with such

        I would suggest that deploying BCP 38 be a requirement for
This will work at least until the kiddies improve their scripts to  
query for names that actually exist.

On 24/01/2009, at 8:21 AM, Chris McDonald wrote:

We [AS3491] null0'd the IP earlier.  Rest-of-world encouraged to do  
the same :/

Good luck with that. Right now they're targetting ISPrime, and you've  
just made the DoS even more effective for them. With any luck, the  
rest of the world will follow suit and the bad guys win! yay! :)

Short of getting the rest of the world to properly implement ingress  
filtering (ha, ha), I think dropping the specific packets that  
generate the reflected traffic is good enough for now. The load on the  
reflectors is minimal.


Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews () isc org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]