Mark Andrews wrote:
>> 0.86.80.98 14051
>
> So who isn't doing even loose URPF?
> 0/8 is totally bogus and is a attack directed at you.
Well, if you do a tracert to granite.ab.ca you can see my upstream provider.
I was
wondering what that 0 was doing there.
Tony
--
Tony Toews
In message , "Tony Toews [MVP]" wri
tes:
> "Tony Toews [MVP]" wrote:
>
> >FWIW In the last 28 hours I have the following alleged IP addresses and coun
> t in my
> >log file.
> >
> >Real lookups 1665
> >204.15.80.50 4
> >3.217.28.226 1144
> >4.57.246.146 9541
> >6.9.16.171 577
> >63.217.28.226
"Tony Toews [MVP]" wrote:
>FWIW In the last 28 hours I have the following alleged IP addresses and count
>in my
>log file.
>
>Real lookups 1665
>204.15.80.50 4
>3.217.28.226 1144
>4.57.246.146 9541
>6.9.16.171 577
>63.217.28.226 1463
>64.57.246.146 35163
>65.173.218.96 1
>67.192.1
Sorry remembered wrong, it's not free. But not that expensive either.
Yeah now I remember, I browsed for a free firewall for server platform for
days, but didn't find any.
But have been very happy with the Net Firewall.
Jukka
"Tony Toews [MVP]" kirjoitti
viestissä:...
"Jukka Pakkanen"
"Jukka Pakkanen" wrote:
>There are many free third party firewall packages that can be run in Window=
>s =
>
>2003 Server, we use the Net Firewall.
Do you have a URL? I found http://www.ntkernel.com/w&p.php?id=18 but it's not
free.
I'm also going to ask my fellow MVPs as well.
Tony
--
Tony T
"Tony Toews [MVP]" wrote:
>26-Jan-2009 14:28:24.004 client 76.9.16.171#23101: query: . IN NS +
>26-Jan-2009 14:28:58.254 client 63.217.28.226#28035: query: . IN NS +
>26-Jan-2009 14:29:00.691 client 63.217.28.226#35549: query: . IN NS +
>26-Jan-2009 14:29:26.332 client 76.9.16.171#19817: query: .
On Tue, Jan 27, 2009 at 11:50:51AM +0100,
Jan Buchholz <96de...@googlemail.com> wrote
a message of 38 lines which said:
> i think disable queries at the root-zone for not internal networks
> is another answer for this problem .
Good practices about this attack (with specific BIND advice) is
al
Hallo,
i think disable queries at the root-zone for not internal networks is
another answer for this problem .
---
Jan
2009/1/27, Jukka Pakkanen :
>
> "Tony Toews [MVP]" kirjoitti
> viestissä:...
>> Noel Butler wrote:
>>
>> >Surely windows can block access to an inbound IP request from "some I
"Tony Toews [MVP]" kirjoitti
viestissä:...
Noel Butler wrote:
>Surely windows can block access to an inbound IP request from "some IP"
>to local udp port 53 ?
Not the firewall software built into Windows 2003 Server.
>If not, you know what my next reply will be don't you :)
Yeah, well swi
On 26-Jan-2009, at 23:03, Tony Toews [MVP] wrote:
Ah, I think I see what is happening here. Searching at the below
article for
63.217.28.226
http://tech.slashdot.org/tech/09/01/24/0113210.shtml shows a reply
stating:
"The problem seems to kick in for DNS servers that arent rejecting
th
"Tony Toews [MVP]" wrote:
>As far as I can tell from the same 5 or 20 IP addresses. I haven't seen these
>lines
>before.
When I analyzed todays log I got three IP address.
204.15.80.50 might be smtp9.soma.ironport.com
63.217.28.226 might be Network solutions according to the below SlashDot
a
On Tue, 2009-01-27 at 13:16, Tony Toews [MVP] wrote:
> Noel Butler wrote:
>
> >Surely windows can block access to an inbound IP request from "some IP"
> >to local udp port 53 ?
>
> Not the firewall software built into Windows 2003 Server.
>
Gawd...
> >If not, you know what my next reply wi
Mark Andrews wrote:
>> It looks like the server is replying with a refused statement. The following
>> are the
>> two lines that WireShark captured.
>>
>> Standard query NS
>> Standard query response, refused
>
> Good. The attacker is trying to you as a amplifier and
> that is no
Noel Butler wrote:
>Surely windows can block access to an inbound IP request from "some IP"
>to local udp port 53 ?
Not the firewall software built into Windows 2003 Server.
>If not, you know what my next reply will be don't you :)
Yeah, well switching to Linux ain't gonna happen. My friend
In message , "Tony Toews [MVP]" wri
tes:
> "Tony Toews [MVP]" wrote:
>
> >>> How do I know I'm not answering those?
> >>>
> >>Since your on win, I can't help you, but whatever your packet monitor
> >>is, see if you are replying to their requests, even with a REFUSED
> >>response.
>
> It looks
On Tue, 2009-01-27 at 12:35, Tony Toews [MVP] wrote:
> "Tony Toews [MVP]" wrote:
>
> >>> How do I know I'm not answering those?
> >>>
> >>Since your on win, I can't help you, but whatever your packet monitor
> >>is, see if you are replying to their requests, even with a REFUSED
> >>response.
>
"Tony Toews [MVP]" wrote:
>>> I doubt the current firewall, the one built into Windows 2003 Server, is
>>> capable of
>>> blocking specific IP addresses but I'll check.
>>
>>In that case maybe on your router? Apply a inbound request from them on
>>port 53 udp only, that way you wont affect real
"Tony Toews [MVP]" wrote:
>>> How do I know I'm not answering those?
>>>
>>Since your on win, I can't help you, but whatever your packet monitor
>>is, see if you are replying to their requests, even with a REFUSED
>>response.
It looks like the server is replying with a refused statement. The f
In message , Barry Margolin
writes:
> In article ,
> Mark Andrews wrote:
>
> > In message , "Tony Toews [MVP]"
>
> > wri
> > tes:
> > > Gregory Hicks wrote:
> > >
> > >
> > > >> 2) What are they?
> > > >
> > > >They look like the DDoS being discussed on the NANOG list.
> > > >
> > > >Have
In message , Barry Margolin
writes:
> In article ,
> "Tony Toews [MVP]" wrote:
>
> > Gregory Hicks wrote:
> >
> >
> > >> 2) What are they?
> > >
> > >They look like the DDoS being discussed on the NANOG list.
> > >
> > >Have you implemented BCP38? If not, why not...
> >
> > I have no idea
Noel Butler wrote:
>> How do I know I'm not answering those?
>>
>
>Since your on win, I can't help you, but whatever your packet monitor
>is, see if you are replying to their requests, even with a REFUSED
>response.
Thanks, I'll take a look using WireShark.
>> >It's a forged request asking you
"Tony Toews [MVP]" wrote:
>I just noticed that our small scale Bind server as a lot of the following
>lines.
Just to clarify things. We're running a personal scale IIS, DNS and email
server on
Windows 2003 Server with about 20 or so domains on a friends DSL connection.
To
give you an idea
Barry Margolin wrote:
>> >Have you implemented BCP38? If not, why not...
>>
>> I have no idea what BCP38 is and how I can implement that. Would you be so
>> kind as
>> to supply links relevant to Windows 2003 Server?
>
>BCP38 is not something you implement, it's something that has to be
>imp
In article ,
Mark Andrews wrote:
> In message , "Tony Toews [MVP]"
> wri
> tes:
> > Gregory Hicks wrote:
> >
> >
> > >> 2) What are they?
> > >
> > >They look like the DDoS being discussed on the NANOG list.
> > >
> > >Have you implemented BCP38? If not, why not...
> >
> > I have no idea w
In article ,
"Tony Toews [MVP]" wrote:
> Gregory Hicks wrote:
>
>
> >> 2) What are they?
> >
> >They look like the DDoS being discussed on the NANOG list.
> >
> >Have you implemented BCP38? If not, why not...
>
> I have no idea what BCP38 is and how I can implement that. Would you be so
>
In message , "Tony Toews [MVP]" wri
tes:
> Gregory Hicks wrote:
>
>
> >> 2) What are they?
> >
> >They look like the DDoS being discussed on the NANOG list.
> >
> >Have you implemented BCP38? If not, why not...
>
> I have no idea what BCP38 is and how I can implement that.
http://www
Hi Tony,
On Tue, 2009-01-27 at 09:35, Tony Toews [MVP] wrote:
> Noel Butler wrote:
>
> >This is not your config, so long as you are not answering thats fine.
>
> How do I know I'm not answering those?
>
Since your on win, I can't help you, but whatever your packet monitor
is, see if you are
Noel Butler wrote:
>This is not your config, so long as you are not answering thats fine.
How do I know I'm not answering those?
>It's a forged request asking you to participate in a DDoS thats been
>going on since last Wedensday,
>it's best if you firewall off your replies to those IP's so you
Gregory Hicks wrote:
>> 2) What are they?
>
>They look like the DDoS being discussed on the NANOG list.
>
>Have you implemented BCP38? If not, why not...
I have no idea what BCP38 is and how I can implement that. Would you be so
kind as
to supply links relevant to Windows 2003 Server?
Thank
On Tue, 2009-01-27 at 07:45, Tony Toews [MVP] wrote:
> Folks
>
> Warning - I know just enough about Bind to be dangerous. Which is why I'm
> asking.
>
> I just noticed that our small scale Bind server as a lot of the following
> lines.
>
> 26-Jan-2009 14:28:24.004 client 76.9.16.171#23101:
> To: comp-protocols-dns-b...@isc.org
> From: "Tony Toews [MVP]"
> Subject: What are these entries in the log file - " query: . IN NS +"?
> Date: Mon, 26 Jan 2009 21:45:18 GMT
>
> Folks
>
> Warning - I know just enough about Bind to be dangero
Folks
Warning - I know just enough about Bind to be dangerous. Which is why I'm
asking.
I just noticed that our small scale Bind server as a lot of the following lines.
26-Jan-2009 14:28:24.004 client 76.9.16.171#23101: query: . IN NS +
26-Jan-2009 14:28:58.254 client 63.217.28.226#28035: que
32 matches
Mail list logo