[Pdns-users] DNS amplification attack advice

kalpesh thaker kalpesh at webdevworld.com
Wed May 30 09:12:12 UTC 2012

On 30/05/2012 09:53, Stephane Bortzmeyer wrote:
> On Tue, May 29, 2012 at 04:32:23PM +0200,
>   kalpesh thaker<kalpesh at webdevworld.com>  wrote
>   a message of 252 lines which said:
>> - max-tcp-connections set to 60
> ...
>> - setup IPtables with a chain to reject udp/tcp connections
> ...
>> they seem to think they these IP address have all been spoofed for
>> this amplification attack.
> I'm confused. The attacker uses TCP or not? If yes, it is very
> unlikely they were able to spoof the IP addresses.

according to tcpdump -vn, the connections were mostly TCP.. however 
there were alot of repetitive incoming UDP packets coming in during the 
early stages, for authoritative domains on our NS querying TXT RR's. 
This is why i suspected amplification as being possible in this DOS 
attack. Immediately when i saw this, i dropped all incoming traffic from 
those IP's with IPtables. i could be mistaken though, but it did look 

the one ISP we contacted who managed the reported IP addresses, said 
that they suspected their IP's had been spoofed without providing more 
information. there were UDP packets coming in from those 'IP's".. so i 
concluded that spoofing and amplification may have been plausible.

However, another ISP's abuse department confirmed that their server was 
actually sending out TCP (and not UDP) traffic on port 53 to our NS's, 
and was disabled before we sent in an abuse report.

Thanks for the info on the hashlimit for IPtables.. will give that a try 
on one of our slaves

More information about the Pdns-users mailing list