[Pdns-users] DNS amplification attack advice
kalpesh thaker
kalpesh at webdevworld.com
Wed May 30 09:12:12 UTC 2012
On 30/05/2012 09:53, Stephane Bortzmeyer wrote:
> On Tue, May 29, 2012 at 04:32:23PM +0200,
> kalpesh thaker<kalpesh at webdevworld.com> wrote
> a message of 252 lines which said:
>
>> - max-tcp-connections set to 60
> ...
>> - setup IPtables with a chain to reject udp/tcp connections
> ...
>> they seem to think they these IP address have all been spoofed for
>> this amplification attack.
> I'm confused. The attacker uses TCP or not? If yes, it is very
> unlikely they were able to spoof the IP addresses.
>
according to tcpdump -vn, the connections were mostly TCP.. however
there were alot of repetitive incoming UDP packets coming in during the
early stages, for authoritative domains on our NS querying TXT RR's.
This is why i suspected amplification as being possible in this DOS
attack. Immediately when i saw this, i dropped all incoming traffic from
those IP's with IPtables. i could be mistaken though, but it did look
suspect.
the one ISP we contacted who managed the reported IP addresses, said
that they suspected their IP's had been spoofed without providing more
information. there were UDP packets coming in from those 'IP's".. so i
concluded that spoofing and amplification may have been plausible.
However, another ISP's abuse department confirmed that their server was
actually sending out TCP (and not UDP) traffic on port 53 to our NS's,
and was disabled before we sent in an abuse report.
Thanks for the info on the hashlimit for IPtables.. will give that a try
on one of our slaves
More information about the Pdns-users
mailing list