[BlueOnyx:05319] DNS DDOS?
Greg Kuhnert
gkuhnert at compassnetworks.com.au
Fri Sep 3 19:26:14 -05 2010
I've been noticing some interesting log messages.... I am curious if
anyone else is seeing this pattern...
This attack was originally designed to get reply traffic from DNS
servers that respond to recursive queries, and thus acting as traffic
amplifiers .... The good news is that bluequartz/blueonyx doesnt respond
to recursive queries by default... However, the spoofed traffic I think
is being sent from compramised servers.... Even if the reply traffic is
not amplified, they are still benefiting from the "packet laundering"
our servers are providing....
cat /var/log/messages | grep named.*denied$
If there are enough people out there getting hit with this stuff, I'll
do a dfix update to trigger on these log entries.... but I will also
change dfix to do DROP instead of REJECT in that release, so that we
dont reply to the spoofed traffic with our ICMP unreachables.
Let me know what you're seeing out there.
Regards,
Greg.
--
+---------------------------------------------------------------------+
| / \ Greg Kuhnert, gkuhnert at compassnetworks.com.au |
|< o> Compass Networks - Pointing you in the right direction |
| \ / Come see us for BlueQuartz / BlueOnyx modules& Support. |
+---------------------------------------------------------------------+
More information about the Blueonyx
mailing list