[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS DoS ???

Subject: DNS DoS ???
From: blake at pfankuch.me (Blake T. Pfankuch)
Date: Fri, 29 Jul 2011 21:33:27 +0000
In-reply-to: <F3318834F1F89D46857972DD4B411D700520368F2B@exchange>
References: <CACRGtSOSPm12YE3S=n801ooun32VrXsRfP7yqO55kcHMSnss9A@mail.gmail.com> <F3318834F1F89D46857972DD4B411D700520368F2B@exchange>

I've seen this for the same on about 3 sets of nameservers I operate.  fail2ban doing a 72 hour iptables drop rule.

-----Original Message-----
From: Drew Weaver [mailto:drew.weaver at thenap.com] 
Sent: Friday, July 29, 2011 3:01 PM
To: 'Elliot Finley'; nanog at nanog.org
Subject: RE: DNS DoS ???

We've been seeing this for several years on and off.

thanks,
-Drew

-----Original Message-----
From: Elliot Finley [mailto:efinley.lists at gmail.com]
Sent: Friday, July 29, 2011 2:51 PM
To: nanog at nanog.org
Subject: DNS DoS ???

my DNS servers were getting slow so I blocked recursive queries for all but my own network.

Then I was getting so many of these:

ns2 named[5056]: client 78.159.111.190#25345: query (cache) 'isc.org/ANY/IN' denied

that is was still slowing things down.  I've since written a script to watch the log and throw these into the box local firewall.  If I expire the entries after 24 hours then I accumulate about 10200 unique IPs.  If I expire after 48 hours, then it's just over 20000 unique IPs.

Is anyone else seeing this?

Elliot

References:
- DNS DoS ???
  - From: efinley.lists at gmail.com (Elliot Finley)
- DNS DoS ???
  - From: drew.weaver at thenap.com (Drew Weaver)

Prev by Date: DNS DoS ???
Next by Date: [BULK] Re: SORBS contact
Previous by thread: DNS DoS ???
Next by thread: DNS DoS ???
Index(es):
- Date
- Thread