[BlueOnyx:05323] Re: DNS DDOS?
Gerald Waugh
gwaugh at frontstreetnetworks.com
Fri Sep 3 21:50:15 -05 2010
On Sat, 2010-09-04 at 10:26 +1000, Greg Kuhnert wrote:
> I've been noticing some interesting log messages.... I am curious if
> anyone else is seeing this pattern...
>
> This attack was originally designed to get reply traffic from DNS
> servers that respond to recursive queries, and thus acting as traffic
> amplifiers .... The good news is that bluequartz/blueonyx doesnt respond
> to recursive queries by default... However, the spoofed traffic I think
> is being sent from compramised servers.... Even if the reply traffic is
> not amplified, they are still benefiting from the "packet laundering"
> our servers are providing....
>
> cat /var/log/messages | grep named.*denied$
>
> If there are enough people out there getting hit with this stuff, I'll
> do a dfix update to trigger on these log entries.... but I will also
> change dfix to do DROP instead of REJECT in that release, so that we
> dont reply to the spoofed traffic with our ICMP unreachables.
>
> Let me know what you're seeing out there.
>
Greg,
FYI I checked several servers and found nothing
Gerald
More information about the Blueonyx
mailing list