[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: DNS DDoS
From: Doug Barton <dougb () freebsd ! org>
Date: 2007-11-26 1:05:56
Message-ID: 474A1BF4.5060901 () FreeBSD ! org
[Download RAW message or body]
Joel V. wrote:
> As a lot of people recommended using tcpdump, here it is. The only thing
> that stands out, are hundreds and thousands of lines like this:
>
> 13:45:49.991592 IP 82.165.252.222.36887 > ns1.galandrex.ee.43077: UDP,
> length 9216
...
> That IP resolves to u15194704.onlinehome-server.com. Seems to be a german
> ISP. After five seconds the capture.out file was already 2.8MB. You can see
> the file here: https://89.219.136.126/capture.out
Your name server IP is not answering, so I'm guessing here, but it
seems to me that you're being used as a reflector for a DNS based DDoS
attack. If ns1.galandrex.ee is not authoritative for any domains
(i.e., not listed at any registries/registrars as the NS for a
domain), you should make sure that it's firewalled off so that the
outside world cannot reach it. This type of attack is becoming very
common, but fortunately the answer is simple.
If you need any help with the DNS side of the equation feel free to
contact me directly.
Doug
--
This .signature sanitized for your protection
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic