subject:"\[nlug\] DNS attack mitigation suggestions\?"

[nlug] DNS attack mitigation suggestions?

2014-02-27 Thread David R. Wilson

Hi guys,

I have had a problem with non resolvable IP addresses hitting my DNS
server (running BIND9) and eating up bandwidth.  I am sure there is some
instructions on how to assure the IP numbers resolve, but I apparently
missed the instructions.

Some of those addresses I put into firewall rules to drop the inquiry.
Since then someone decided random IP addresses were more fun.  Rate
limiting doesn't seem to help.

Anyone in the group have the short story on how to fix this?

Dave

-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-02-27 Thread Wesley Duffee-Braun

Hi Dave,

Have you looked into Fail2Ban? I've used it in the past to dynamically
block random-and-repeating IP's.

http://www.fail2ban.org/wiki/index.php/Main_Page

 - Wesley


On Thu, Feb 27, 2014 at 12:29 PM, David R. Wilson  wrote:

> Hi guys,
>
> I have had a problem with non resolvable IP addresses hitting my DNS
> server (running BIND9) and eating up bandwidth.  I am sure there is some
> instructions on how to assure the IP numbers resolve, but I apparently
> missed the instructions.
>
> Some of those addresses I put into firewall rules to drop the inquiry.
> Since then someone decided random IP addresses were more fun.  Rate
> limiting doesn't seem to help.
>
> Anyone in the group have the short story on how to fix this?
>
> Dave
>
> --
> --
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To post to this group, send email to nlug-talk@googlegroups.com
> To unsubscribe from this group, send email to
> nlug-talk+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nlug-talk?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nlug-talk+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>



-- 
http://www.wesleyduffeebraun.com


-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-02-27 Thread Tilghman Lesher

On Thu, Feb 27, 2014 at 12:29 PM, David R. Wilson  wrote:
> I have had a problem with non resolvable IP addresses hitting my DNS
> server (running BIND9) and eating up bandwidth.  I am sure there is some
> instructions on how to assure the IP numbers resolve, but I apparently
> missed the instructions.
>
> Some of those addresses I put into firewall rules to drop the inquiry.
> Since then someone decided random IP addresses were more fun.  Rate
> limiting doesn't seem to help.
>
> Anyone in the group have the short story on how to fix this?

I'm guessing you're talking about non-routable addresses?  Ultimately,
it's going to have to be solved by your upstream backbone provider, in
terms of blocking packets with forged source addresses, since that's
the nature of the problem.

-- 
Tilghman

-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-02-27 Thread David R. Wilson

Thanks Guys,

That is part of the problem.  Charter as best I can tell refuses to
block anything.  The fail2ban program looks like it might work.  It
looks like just a ping to verify the address is legitimate and drop the
packet if there is no response would be one way to do it.

I will stare at the fail2ban program docs a bit and see what that is
going to require.

Dave

On Thu, 2014-02-27 at 13:02 -0600, Tilghman Lesher wrote:
> On Thu, Feb 27, 2014 at 12:29 PM, David R. Wilson  wrote:
> > I have had a problem with non resolvable IP addresses hitting my DNS
> > server (running BIND9) and eating up bandwidth.  I am sure there is some
> > instructions on how to assure the IP numbers resolve, but I apparently
> > missed the instructions.
> >
> > Some of those addresses I put into firewall rules to drop the inquiry.
> > Since then someone decided random IP addresses were more fun.  Rate
> > limiting doesn't seem to help.
> >
> > Anyone in the group have the short story on how to fix this?
> 
> I'm guessing you're talking about non-routable addresses?  Ultimately,
> it's going to have to be solved by your upstream backbone provider, in
> terms of blocking packets with forged source addresses, since that's
> the nature of the problem.
> 
> -- 
> Tilghman
> 
> -- 


-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-02-27 Thread Wesley Duffee-Braun

Hi Dave,

Here is a link about someone who went through your scenario with a DNS
server and DDOS

https://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package

Debian, not sure what you are running, but Fail2Ban should be similar setup.

 - Wesley



On Thu, Feb 27, 2014 at 1:15 PM, David R. Wilson  wrote:

> Thanks Guys,
>
> That is part of the problem.  Charter as best I can tell refuses to
> block anything.  The fail2ban program looks like it might work.  It
> looks like just a ping to verify the address is legitimate and drop the
> packet if there is no response would be one way to do it.
>
> I will stare at the fail2ban program docs a bit and see what that is
> going to require.
>
> Dave
>
> On Thu, 2014-02-27 at 13:02 -0600, Tilghman Lesher wrote:
> > On Thu, Feb 27, 2014 at 12:29 PM, David R. Wilson 
> wrote:
> > > I have had a problem with non resolvable IP addresses hitting my DNS
> > > server (running BIND9) and eating up bandwidth.  I am sure there is
> some
> > > instructions on how to assure the IP numbers resolve, but I apparently
> > > missed the instructions.
> > >
> > > Some of those addresses I put into firewall rules to drop the inquiry.
> > > Since then someone decided random IP addresses were more fun.  Rate
> > > limiting doesn't seem to help.
> > >
> > > Anyone in the group have the short story on how to fix this?
> >
> > I'm guessing you're talking about non-routable addresses?  Ultimately,
> > it's going to have to be solved by your upstream backbone provider, in
> > terms of blocking packets with forged source addresses, since that's
> > the nature of the problem.
> >
> > --
> > Tilghman
> >
> > --
>
>
> --
> --
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To post to this group, send email to nlug-talk@googlegroups.com
> To unsubscribe from this group, send email to
> nlug-talk+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nlug-talk?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nlug-talk+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>



-- 
http://www.wesleyduffeebraun.com


-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-02-27 Thread Steven S. Critchfield

- Original Message -
> Hi guys,
> 
> I have had a problem with non resolvable IP addresses hitting my DNS
> server (running BIND9) and eating up bandwidth. I am sure there is
> some instructions on how to assure the IP numbers resolve, but I
> apparently missed the instructions.
> 
> Some of those addresses I put into firewall rules to drop the inquiry.
> Since then someone decided random IP addresses were more fun. Rate
> limiting doesn't seem to help.
> 
> Anyone in the group have the short story on how to fix this?

Do you need to be serving DNS to the world? Could you limit yourself to some 
specific ranges?

-- 
Steven Critchfield cri...@basesys.com

-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-02-27 Thread David R. Wilson

Thanks Wesley,

That helps a bunch.  In this case it is a Centos box, but I don't think
that is going to cause any problems.

Dave

On Thu, 2014-02-27 at 13:19 -0600, Wesley Duffee-Brahun wrote:
> Hi Dave,
> 
> 
> Here is a link about someone who went through your scenario with a DNS
> server and DDOS
> 
> 
> https://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package
> 
> 
> 
> Debian, not sure what you are running, but Fail2Ban should be similar
> setup.
> 
> 
>  - Wesley
> 
> 
> 
> 
> On Thu, Feb 27, 2014 at 1:15 PM, David R. Wilson 
> wrote:
> Thanks Guys,
> 
> That is part of the problem.  Charter as best I can tell
> refuses to
> block anything.  The fail2ban program looks like it might
> work.  It
> looks like just a ping to verify the address is legitimate and
> drop the
> packet if there is no response would be one way to do it.
> 
> I will stare at the fail2ban program docs a bit and see what
> that is
> going to require.
> 
> Dave
> 
> On Thu, 2014-02-27 at 13:02 -0600, Tilghman Lesher wrote:
> > On Thu, Feb 27, 2014 at 12:29 PM, David R. Wilson
>  wrote:
> > > I have had a problem with non resolvable IP addresses
> hitting my DNS
> > > server (running BIND9) and eating up bandwidth.  I am sure
> there is some
> > > instructions on how to assure the IP numbers resolve, but
> I apparently
> > > missed the instructions.
> > >
> > > Some of those addresses I put into firewall rules to drop
> the inquiry.
> > > Since then someone decided random IP addresses were more
> fun.  Rate
> > > limiting doesn't seem to help.
> > >
> > > Anyone in the group have the short story on how to fix
> this?
> >
> > I'm guessing you're talking about non-routable addresses?
>  Ultimately,
> > it's going to have to be solved by your upstream backbone
> provider, in
> > terms of blocking packets with forged source addresses,
> since that's
> > the nature of the problem.
> >
> > --
> > Tilghman
> >
> > --
> 
> 
> --
> --
> You received this message because you are subscribed to the
> Google Groups "NLUG" group.
> To post to this group, send email to
> nlug-talk@googlegroups.com
> To unsubscribe from this group, send email to nlug-talk
> +unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nlug-talk?hl=en
> 
> ---
> You received this message because you are subscribed to the
> Google Groups "NLUG" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to nlug-talk+unsubscr...@googlegroups.com.
> For more options, visit
> https://groups.google.com/groups/opt_out.
> 
> 
> 
> 
> 
> -- 
> http://www.wesleyduffeebraun.com
> 
> 
> -- 
> -- 
> You received this message because you are subscribed to the Google
> Groups "NLUG" group.
> To post to this group, send email to nlug-talk@googlegroups.com
> To unsubscribe from this group, send email to nlug-talk
> +unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nlug-talk?hl=en
>  
> --- 
> You received this message because you are subscribed to the Google
> Groups "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to nlug-talk+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.


-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-02-27 Thread Wesley Duffee-Braun

Good deal - let me know if you have any issues!


On Thu, Feb 27, 2014 at 3:33 PM, David R. Wilson  wrote:

> Thanks Wesley,
>
> That helps a bunch.  In this case it is a Centos box, but I don't think
> that is going to cause any problems.
>
> Dave
>
> On Thu, 2014-02-27 at 13:19 -0600, Wesley Duffee-Brahun wrote:
> > Hi Dave,
> >
> >
> > Here is a link about someone who went through your scenario with a DNS
> > server and DDOS
> >
> >
> >
> https://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package
> >
> >
> >
> > Debian, not sure what you are running, but Fail2Ban should be similar
> > setup.
> >
> >
> >  - Wesley
> >
> >
> >
> >
> > On Thu, Feb 27, 2014 at 1:15 PM, David R. Wilson 
> > wrote:
> > Thanks Guys,
> >
> > That is part of the problem.  Charter as best I can tell
> > refuses to
> > block anything.  The fail2ban program looks like it might
> > work.  It
> > looks like just a ping to verify the address is legitimate and
> > drop the
> > packet if there is no response would be one way to do it.
> >
> > I will stare at the fail2ban program docs a bit and see what
> > that is
> > going to require.
> >
> > Dave
> >
> > On Thu, 2014-02-27 at 13:02 -0600, Tilghman Lesher wrote:
> > > On Thu, Feb 27, 2014 at 12:29 PM, David R. Wilson
> >  wrote:
> > > > I have had a problem with non resolvable IP addresses
> > hitting my DNS
> > > > server (running BIND9) and eating up bandwidth.  I am sure
> > there is some
> > > > instructions on how to assure the IP numbers resolve, but
> > I apparently
> > > > missed the instructions.
> > > >
> > > > Some of those addresses I put into firewall rules to drop
> > the inquiry.
> > > > Since then someone decided random IP addresses were more
> > fun.  Rate
> > > > limiting doesn't seem to help.
> > > >
> > > > Anyone in the group have the short story on how to fix
> > this?
> > >
> > > I'm guessing you're talking about non-routable addresses?
> >  Ultimately,
> > > it's going to have to be solved by your upstream backbone
> > provider, in
> > > terms of blocking packets with forged source addresses,
> > since that's
> > > the nature of the problem.
> > >
> > > --
> > > Tilghman
> > >
> > > --
> >
> >
> > --
> > --
> > You received this message because you are subscribed to the
> > Google Groups "NLUG" group.
> > To post to this group, send email to
> > nlug-talk@googlegroups.com
> > To unsubscribe from this group, send email to nlug-talk
> > +unsubscr...@googlegroups.com
> > For more options, visit this group at
> > http://groups.google.com/group/nlug-talk?hl=en
> >
> > ---
> > You received this message because you are subscribed to the
> > Google Groups "NLUG" group.
> > To unsubscribe from this group and stop receiving emails from
> > it, send an email to nlug-talk+unsubscr...@googlegroups.com.
> > For more options, visit
> > https://groups.google.com/groups/opt_out.
> >
> >
> >
> >
> >
> > --
> > http://www.wesleyduffeebraun.com
> >
> >
> > --
> > --
> > You received this message because you are subscribed to the Google
> > Groups "NLUG" group.
> > To post to this group, send email to nlug-talk@googlegroups.com
> > To unsubscribe from this group, send email to nlug-talk
> > +unsubscr...@googlegroups.com
> > For more options, visit this group at
> > http://groups.google.com/group/nlug-talk?hl=en
> >
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "NLUG" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to nlug-talk+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
>
> --
> --
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To post to this group, send email to nlug-talk@googlegroups.com
> To unsubscribe from this group, send email to
> nlug-talk+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nlug-talk?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nlug-talk+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>



-- 
http://www.wesleyduffeebraun.com


-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@goog

Re: [nlug] DNS attack mitigation suggestions?

2014-02-27 Thread Bill Woody

To add to david's problems, "youvebeenowned.org" seems to have found an
exploit.
While the domain name does not resolve, the IP shows a little of their
handiwork.






On Thu, Feb 27, 2014 at 4:41 PM, Wesley Duffee-Braun wrote:

> Good deal - let me know if you have any issues!
>
>
> On Thu, Feb 27, 2014 at 3:33 PM, David R. Wilson  wrote:
>
>> Thanks Wesley,
>>
>> That helps a bunch.  In this case it is a Centos box, but I don't think
>> that is going to cause any problems.
>>
>> Dave
>>
>> On Thu, 2014-02-27 at 13:19 -0600, Wesley Duffee-Brahun wrote:
>> > Hi Dave,
>> >
>> >
>> > Here is a link about someone who went through your scenario with a DNS
>> > server and DDOS
>> >
>> >
>> >
>> https://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package
>> >
>> >
>> >
>> > Debian, not sure what you are running, but Fail2Ban should be similar
>> > setup.
>> >
>> >
>> >  - Wesley
>> >
>> >
>> >
>> >
>> > On Thu, Feb 27, 2014 at 1:15 PM, David R. Wilson 
>> > wrote:
>> > Thanks Guys,
>> >
>> > That is part of the problem.  Charter as best I can tell
>> > refuses to
>> > block anything.  The fail2ban program looks like it might
>> > work.  It
>> > looks like just a ping to verify the address is legitimate and
>> > drop the
>> > packet if there is no response would be one way to do it.
>> >
>> > I will stare at the fail2ban program docs a bit and see what
>> > that is
>> > going to require.
>> >
>> > Dave
>> >
>> > On Thu, 2014-02-27 at 13:02 -0600, Tilghman Lesher wrote:
>> > > On Thu, Feb 27, 2014 at 12:29 PM, David R. Wilson
>> >  wrote:
>> > > > I have had a problem with non resolvable IP addresses
>> > hitting my DNS
>> > > > server (running BIND9) and eating up bandwidth.  I am sure
>> > there is some
>> > > > instructions on how to assure the IP numbers resolve, but
>> > I apparently
>> > > > missed the instructions.
>> > > >
>> > > > Some of those addresses I put into firewall rules to drop
>> > the inquiry.
>> > > > Since then someone decided random IP addresses were more
>> > fun.  Rate
>> > > > limiting doesn't seem to help.
>> > > >
>> > > > Anyone in the group have the short story on how to fix
>> > this?
>> > >
>> > > I'm guessing you're talking about non-routable addresses?
>> >  Ultimately,
>> > > it's going to have to be solved by your upstream backbone
>> > provider, in
>> > > terms of blocking packets with forged source addresses,
>> > since that's
>> > > the nature of the problem.
>> > >
>> > > --
>> > > Tilghman
>> > >
>> > > --
>> >
>> >
>> > --
>> > --
>> > You received this message because you are subscribed to the
>> > Google Groups "NLUG" group.
>> > To post to this group, send email to
>> > nlug-talk@googlegroups.com
>> > To unsubscribe from this group, send email to nlug-talk
>> > +unsubscr...@googlegroups.com
>> > For more options, visit this group at
>> > http://groups.google.com/group/nlug-talk?hl=en
>> >
>> > ---
>> > You received this message because you are subscribed to the
>> > Google Groups "NLUG" group.
>> > To unsubscribe from this group and stop receiving emails from
>> > it, send an email to nlug-talk+unsubscr...@googlegroups.com.
>> > For more options, visit
>> > https://groups.google.com/groups/opt_out.
>> >
>> >
>> >
>> >
>> >
>> > --
>> > http://www.wesleyduffeebraun.com
>> >
>> >
>> > --
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups "NLUG" group.
>> > To post to this group, send email to nlug-talk@googlegroups.com
>> > To unsubscribe from this group, send email to nlug-talk
>> > +unsubscr...@googlegroups.com
>> > For more options, visit this group at
>> > http://groups.google.com/group/nlug-talk?hl=en
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "NLUG" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to nlug-talk+unsubscr...@googlegroups.com.
>> > For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>> --
>> --
>> You received this message because you are subscribed to the Google Groups
>> "NLUG" group.
>> To post to this group, send email to nlug-talk@googlegroups.com
>> To unsubscribe from this group, send email to
>> nlug-talk+unsubscr...@googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/nlug-talk?hl=en
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "NLUG" group.
>> To unsubscribe from this group and stop rece

Re: [nlug] DNS attack mitigation suggestions?

2014-02-28 Thread Bill Woody

And I thought "youvebeenowned.org" was another group of black hats! I have
GOT to stop waiting so late in the day to start drinking.


On Thu, Feb 27, 2014 at 6:21 PM, Bill Woody  wrote:

> To add to david's problems, "youvebeenowned.org" seems to have found an
> exploit.
> While the domain name does not resolve, the IP shows a little of their
> handiwork.
>
>
>
>
>
>
> On Thu, Feb 27, 2014 at 4:41 PM, Wesley Duffee-Braun wrote:
>
>> Good deal - let me know if you have any issues!
>>
>>
>> On Thu, Feb 27, 2014 at 3:33 PM, David R. Wilson  wrote:
>>
>>> Thanks Wesley,
>>>
>>> That helps a bunch.  In this case it is a Centos box, but I don't think
>>> that is going to cause any problems.
>>>
>>> Dave
>>>
>>> On Thu, 2014-02-27 at 13:19 -0600, Wesley Duffee-Brahun wrote:
>>> > Hi Dave,
>>> >
>>> >
>>> > Here is a link about someone who went through your scenario with a DNS
>>> > server and DDOS
>>> >
>>> >
>>> >
>>> https://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package
>>> >
>>> >
>>> >
>>> > Debian, not sure what you are running, but Fail2Ban should be similar
>>> > setup.
>>> >
>>> >
>>> >  - Wesley
>>> >
>>> >
>>> >
>>> >
>>> > On Thu, Feb 27, 2014 at 1:15 PM, David R. Wilson 
>>> > wrote:
>>> > Thanks Guys,
>>> >
>>> > That is part of the problem.  Charter as best I can tell
>>> > refuses to
>>> > block anything.  The fail2ban program looks like it might
>>> > work.  It
>>> > looks like just a ping to verify the address is legitimate and
>>> > drop the
>>> > packet if there is no response would be one way to do it.
>>> >
>>> > I will stare at the fail2ban program docs a bit and see what
>>> > that is
>>> > going to require.
>>> >
>>> > Dave
>>> >
>>> > On Thu, 2014-02-27 at 13:02 -0600, Tilghman Lesher wrote:
>>> > > On Thu, Feb 27, 2014 at 12:29 PM, David R. Wilson
>>> >  wrote:
>>> > > > I have had a problem with non resolvable IP addresses
>>> > hitting my DNS
>>> > > > server (running BIND9) and eating up bandwidth.  I am sure
>>> > there is some
>>> > > > instructions on how to assure the IP numbers resolve, but
>>> > I apparently
>>> > > > missed the instructions.
>>> > > >
>>> > > > Some of those addresses I put into firewall rules to drop
>>> > the inquiry.
>>> > > > Since then someone decided random IP addresses were more
>>> > fun.  Rate
>>> > > > limiting doesn't seem to help.
>>> > > >
>>> > > > Anyone in the group have the short story on how to fix
>>> > this?
>>> > >
>>> > > I'm guessing you're talking about non-routable addresses?
>>> >  Ultimately,
>>> > > it's going to have to be solved by your upstream backbone
>>> > provider, in
>>> > > terms of blocking packets with forged source addresses,
>>> > since that's
>>> > > the nature of the problem.
>>> > >
>>> > > --
>>> > > Tilghman
>>> > >
>>> > > --
>>> >
>>> >
>>> > --
>>> > --
>>> > You received this message because you are subscribed to the
>>> > Google Groups "NLUG" group.
>>> > To post to this group, send email to
>>> > nlug-talk@googlegroups.com
>>> > To unsubscribe from this group, send email to nlug-talk
>>> > +unsubscr...@googlegroups.com
>>> > For more options, visit this group at
>>> > http://groups.google.com/group/nlug-talk?hl=en
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the
>>> > Google Groups "NLUG" group.
>>> > To unsubscribe from this group and stop receiving emails from
>>> > it, send an email to nlug-talk+unsubscr...@googlegroups.com.
>>> > For more options, visit
>>> > https://groups.google.com/groups/opt_out.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > http://www.wesleyduffeebraun.com
>>> >
>>> >
>>> > --
>>> > --
>>> > You received this message because you are subscribed to the Google
>>> > Groups "NLUG" group.
>>> > To post to this group, send email to nlug-talk@googlegroups.com
>>> > To unsubscribe from this group, send email to nlug-talk
>>> > +unsubscr...@googlegroups.com
>>> > For more options, visit this group at
>>> > http://groups.google.com/group/nlug-talk?hl=en
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups "NLUG" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an email to nlug-talk+unsubscr...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>>
>>> --
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "NLUG" group.
>>> To post to this group, send email to nlug-talk@googlegro

Re: [nlug] DNS attack mitigation suggestions?

2014-02-28 Thread David R. Wilson

Obviously today was a bad day to stop drinking

Dave


On Fri, 2014-02-28 at 07:15 -0500, Bill Woody wrote:
> And I thought "youvebeenowned.org" was another group of black hats! I
> have GOT to stop waiting so late in the day to start drinking.
> 
> 
> On Thu, Feb 27, 2014 at 6:21 PM, Bill Woody 
> wrote:
> To add to david's problems, "youvebeenowned.org" seems to have
> found an exploit.
> While the domain name does not resolve, the IP shows a little
> of their handiwork.
>   
> 
> 
> 
> 
>  
> 
> 
> On Thu, Feb 27, 2014 at 4:41 PM, Wesley Duffee-Braun
>  wrote:
> Good deal - let me know if you have any issues!
> 
> 
> On Thu, Feb 27, 2014 at 3:33 PM, David R. Wilson
>  wrote:
> Thanks Wesley,
> 
> That helps a bunch.  In this case it is a
> Centos box, but I don't think
> that is going to cause any problems.
> 
> Dave
> 
> On Thu, 2014-02-27 at 13:19 -0600, Wesley
> Duffee-Brahun wrote:
> > Hi Dave,
> >
> >
> > Here is a link about someone who went
> through your scenario with a DNS
> > server and DDOS
> >
> >
> >
> 
> https://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package
> >
> >
> >
> > Debian, not sure what you are running, but
> Fail2Ban should be similar
> > setup.
> >
> >
> >  - Wesley
> >
> >
> >
> >
> > On Thu, Feb 27, 2014 at 1:15 PM, David R.
> Wilson 
> > wrote:
> > Thanks Guys,
> >
> > That is part of the problem.
>  Charter as best I can tell
> > refuses to
> > block anything.  The fail2ban
> program looks like it might
> > work.  It
> > looks like just a ping to verify the
> address is legitimate and
> > drop the
> > packet if there is no response would
> be one way to do it.
> >
> > I will stare at the fail2ban program
> docs a bit and see what
> > that is
> > going to require.
> >
> > Dave
> >
> > On Thu, 2014-02-27 at 13:02 -0600,
> Tilghman Lesher wrote:
> > > On Thu, Feb 27, 2014 at 12:29 PM,
> David R. Wilson
> >  wrote:
> > > > I have had a problem with non
> resolvable IP addresses
> > hitting my DNS
> > > > server (running BIND9) and
> eating up bandwidth.  I am sure
> > there is some
> > > > instructions on how to assure
> the IP numbers resolve, but
> > I apparently
> > > > missed the instructions.
> > > >
> > > > Some of those addresses I put
> into firewall rules to drop
> > the inquiry.
> > > > Since then someone decided
> random IP addresses were more
> > fun.  Rate
> > > > limiting doesn't seem to help.
> > > >
> > > > Anyone in the group have the
> short story on how to fix
> > this?
> > >
>

Re: [nlug] DNS attack mitigation suggestions?

2014-02-28 Thread Tilghman Lesher

Looks like I picked the wrong week to quit sniffing glue.

On Fri, Feb 28, 2014 at 8:05 AM, David R. Wilson  wrote:
> Obviously today was a bad day to stop drinking
>
> Dave
>
>
> On Fri, 2014-02-28 at 07:15 -0500, Bill Woody wrote:
>> And I thought "youvebeenowned.org" was another group of black hats! I
>> have GOT to stop waiting so late in the day to start drinking.
>>
>>
>> On Thu, Feb 27, 2014 at 6:21 PM, Bill Woody 
>> wrote:
>> To add to david's problems, "youvebeenowned.org" seems to have
>> found an exploit.
>> While the domain name does not resolve, the IP shows a little
>> of their handiwork.
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Feb 27, 2014 at 4:41 PM, Wesley Duffee-Braun
>>  wrote:
>> Good deal - let me know if you have any issues!
>>
>>
>> On Thu, Feb 27, 2014 at 3:33 PM, David R. Wilson
>>  wrote:
>> Thanks Wesley,
>>
>> That helps a bunch.  In this case it is a
>> Centos box, but I don't think
>> that is going to cause any problems.
>>
>> Dave
>>
>> On Thu, 2014-02-27 at 13:19 -0600, Wesley
>> Duffee-Brahun wrote:
>> > Hi Dave,
>> >
>> >
>> > Here is a link about someone who went
>> through your scenario with a DNS
>> > server and DDOS
>> >
>> >
>> >
>> 
>> https://www.debian-administration.org/article/Blocking_a_DNS_DDOS_using_the_fail2ban_package
>> >
>> >
>> >
>> > Debian, not sure what you are running, but
>> Fail2Ban should be similar
>> > setup.
>> >
>> >
>> >  - Wesley
>> >
>> >
>> >
>> >
>> > On Thu, Feb 27, 2014 at 1:15 PM, David R.
>> Wilson 
>> > wrote:
>> > Thanks Guys,
>> >
>> > That is part of the problem.
>>  Charter as best I can tell
>> > refuses to
>> > block anything.  The fail2ban
>> program looks like it might
>> > work.  It
>> > looks like just a ping to verify the
>> address is legitimate and
>> > drop the
>> > packet if there is no response would
>> be one way to do it.
>> >
>> > I will stare at the fail2ban program
>> docs a bit and see what
>> > that is
>> > going to require.
>> >
>> > Dave
>> >
>> > On Thu, 2014-02-27 at 13:02 -0600,
>> Tilghman Lesher wrote:
>> > > On Thu, Feb 27, 2014 at 12:29 PM,
>> David R. Wilson
>> >  wrote:
>> > > > I have had a problem with non
>> resolvable IP addresses
>> > hitting my DNS
>> > > > server (running BIND9) and
>> eating up bandwidth.  I am sure
>> > there is some
>> > > > instructions on how to assure
>> the IP numbers resolve, but
>> > I apparently
>> > > > missed the instructions.
>> > > >
>> > > > Some of those addresses I put
>> into firewall rules to drop
>> > the inquiry.
>> > > > Since then someone decided
>> random IP addresses were more
>> > fun.  Rate
>> > > > limiting doesn't seem to help.
>> > > >
>> > > > Anyone in the group have the
>> short story on how to fix
>> >

Re: [nlug] DNS attack mitigation suggestions?

2014-02-28 Thread Howard White


On 02/28/2014 08:46 AM, Tilghman Lesher wrote:

Looks like I picked the wrong week to quit sniffing glue.




mm - toluene and methyl ethyl keytone



--
--
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups "NLUG" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-02-28 Thread Curt Lundgren

Looks like I picked the wrong week to quit amphetamines


On Fri, Feb 28, 2014 at 8:49 AM, Howard White  wrote:

> On 02/28/2014 08:46 AM, Tilghman Lesher wrote:
>
>> Looks like I picked the wrong week to quit sniffing glue.
>>
>>
>
> mm - toluene and methyl ethyl keytone
>
>
>
>
> --
> --
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To post to this group, send email to nlug-talk@googlegroups.com
> To unsubscribe from this group, send email to nlug-talk+unsubscribe@
> googlegroups.com
> For more options, visit this group at http://groups.google.com/
> group/nlug-talk?hl=en
>
> --- You received this message because you are subscribed to the Google
> Groups "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nlug-talk+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-02-28 Thread Bill Woody

Bunch of quitters!


On Fri, Feb 28, 2014 at 9:52 AM, Curt Lundgren  wrote:

> Looks like I picked the wrong week to quit amphetamines
>
>
> On Fri, Feb 28, 2014 at 8:49 AM, Howard White  wrote:
>
>> On 02/28/2014 08:46 AM, Tilghman Lesher wrote:
>>
>>> Looks like I picked the wrong week to quit sniffing glue.
>>>
>>>
>>
>> mm - toluene and methyl ethyl keytone
>>
>>
>>
>>
>> --
>> --
>> You received this message because you are subscribed to the Google Groups
>> "NLUG" group.
>> To post to this group, send email to nlug-talk@googlegroups.com
>> To unsubscribe from this group, send email to nlug-talk+unsubscribe@
>> googlegroups.com
>> For more options, visit this group at http://groups.google.com/
>> group/nlug-talk?hl=en
>>
>> --- You received this message because you are subscribed to the Google
>> Groups "NLUG" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to nlug-talk+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>  --
> --
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To post to this group, send email to nlug-talk@googlegroups.com
> To unsubscribe from this group, send email to
> nlug-talk+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nlug-talk?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nlug-talk+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-02-28 Thread Alex Smith (K4RNT)

That's my line! ;)

" ' With the first link, the chain is forged. The first speech censured,
the first thought forbidden, the first freedom denied, chains us all
irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and
warning... The first time any man's freedom is trodden on we’re all
damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG
episode "The Drumhead"
- Alex Smith
- Dulles Technology Corridor (Chantilly/Ashburn/Dulles), Virginia USA


On Fri, Feb 28, 2014 at 11:52 AM, Bill Woody  wrote:

> Bunch of quitters!
>
>
> On Fri, Feb 28, 2014 at 9:52 AM, Curt Lundgren  wrote:
>
>> Looks like I picked the wrong week to quit amphetamines
>>
>>
>> On Fri, Feb 28, 2014 at 8:49 AM, Howard White  wrote:
>>
>>> On 02/28/2014 08:46 AM, Tilghman Lesher wrote:
>>>
 Looks like I picked the wrong week to quit sniffing glue.


>>>
>>> mm - toluene and methyl ethyl keytone
>>>
>>>
>>>
>>>
>>> --
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "NLUG" group.
>>> To post to this group, send email to nlug-talk@googlegroups.com
>>> To unsubscribe from this group, send email to nlug-talk+unsubscribe@
>>> googlegroups.com
>>> For more options, visit this group at http://groups.google.com/
>>> group/nlug-talk?hl=en
>>>
>>> --- You received this message because you are subscribed to the Google
>>> Groups "NLUG" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to nlug-talk+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>
>>  --
>> --
>> You received this message because you are subscribed to the Google Groups
>> "NLUG" group.
>> To post to this group, send email to nlug-talk@googlegroups.com
>> To unsubscribe from this group, send email to
>> nlug-talk+unsubscr...@googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/nlug-talk?hl=en
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "NLUG" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to nlug-talk+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>  --
> --
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To post to this group, send email to nlug-talk@googlegroups.com
> To unsubscribe from this group, send email to
> nlug-talk+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nlug-talk?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nlug-talk+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [nlug] DNS attack mitigation suggestions?

2014-03-01 Thread Howard White


On 02/28/2014 10:52 AM, Bill Woody wrote:

Bunch of quitters!



Now this is my kind of flame war  ;)

Howard

--
--
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en

--- 
You received this message because you are subscribed to the Google Groups "NLUG" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to nlug-talk+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

Re: [nlug] DNS attack mitigation suggestions?

17 matches

Site Navigation

Mail list logo

Footer information