On Mon, 16 May 2016 14:23:49 -0700, Brian Somers wrote: >Hi folks, > >I work at OpenDNS. We saw a DoS attack in Miami on Friday night around >10-11:00pm PST, consisting of UDP DNS requests for AAA.BBB.CCC.DDD where each >of AAA, BBB, CCC and DDD are three digit numbers not greater than 500. > >Each query was answered with an NXDOMAIN by the root servers, Although our >resolvers cached the NXDOMAIN for 1 hour (we cap negative responses at 1 hour >despite the larger SOA MINIMUM) it was ineffective in reducing the load on the >root servers as every varying query was another root server request. > >We eventually blackholed all TLDs from 000 to 500 to stifle the problem >(locally delegating them to 127.0.0.1 where we don’t listen). > >However, during the attack, we also saw a huge number of TCP sockets in >TIME_WAIT talking to root servers (probably all root servers). I’m curious if > >1. Are root servers doing some sort of tar pitting where they send a TC and >then firewall port 53?
Being asked to retry with TCP sounds like Response Rate Limiting (RRL). See for example https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html The KB article talks about doing it in response to a large number of NXDOMAINs per unit time, as it sounds like you encountered. -John Heidemann _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop