Kapetanakis Giannis writes:
> On 09/06/12 18:58, Kostas Zorbadelos wrote:
>
> Hi,
>
Hi Giannis,
> My understanding so far is that the queries hit your DNS servers from
> your ISP network/clients
Yes.
> and are not spoofed.
I didn't say that.
> Also those queries hit the recursive/caching
On 2012-06-10, Rudolf Leitgeb wrote:
> Am Sonntag, den 10.06.2012, 00:37 + schrieb Stuart Henderson:
>> On 2012-06-09, Kostas Zorbadelos wrote:
>> > I am interested to hear possible solutions in other layers as well.
>>
>> http://fanf.livejournal.com/122111.html seems a nice approach...
>
>
On 09/06/12 18:58, Kostas Zorbadelos wrote:
>> Kostas Zorbadelos writes:
>>
>>> there is a need to restrict a specific type of DNS queries (ANY queries)
>>> in our nameservers. We faced a DDoS attack in our resolvers and the
>>> thing is that we could not simply cut access to DNS resolution to
>>>
Am Sonntag, den 10.06.2012, 00:37 + schrieb Stuart Henderson:
> On 2012-06-09, Kostas Zorbadelos wrote:
> > I am interested to hear possible solutions in other layers as well.
>
> http://fanf.livejournal.com/122111.html seems a nice approach...
This seems to work nicely if the attacker spoof
On 2012-06-09, Kostas Zorbadelos wrote:
> I am interested to hear possible solutions in other layers as well.
http://fanf.livejournal.com/122111.html seems a nice approach...
Am Samstag, den 09.06.2012, 19:17 +0300 schrieb Kostas Zorbadelos:
> What do you mean identify and filter based on TTL? In our case the
> attacker used a specific query for a single domain.
I mean the TTL field from the IP header of these packets. While the
attacker's packets spoof the sender addr
Rudolf Leitgeb writes:
> Am Samstag, den 09.06.2012, 14:11 +0300 schrieb Kostas Zorbadelos:
>> The situation is similar but not the same as the one discribed here:
>>
>> https://isc.sans.edu/diary.html?storyid=13261
>>
>> We used IPtables and the string module to match a specific signature of
>
* Kostas Zorbadelos [2012-06-09 18:02]:
> Henning Brauer writes:
> > string matching to more or less random packets' payload in the kernel?
> > that is beyond insane.
> I am interested to know if this has caused problems in IPtables'
> setups. It sounds dangerous, however Linux systems provide th
Hi, will try to comment to many posts at once :)
> Kostas Zorbadelos writes:
>
>> there is a need to restrict a specific type of DNS queries (ANY queries)
>> in our nameservers. We faced a DDoS attack in our resolvers and the
>> thing is that we could not simply cut access to DNS resolution to
>>
Am Samstag, den 09.06.2012, 14:11 +0300 schrieb Kostas Zorbadelos:
> The situation is similar but not the same as the one discribed here:
>
> https://isc.sans.edu/diary.html?storyid=13261
>
> We used IPtables and the string module to match a specific signature of
> the problematic queries and it
On Sat, 09 Jun 2012 14:08:58 +0200
Peter N. M. Hansteen wrote:
> While string matching in PF is not an option, I vaguely remember snort
> users coming up with patterns to match earlier DNS tomfoolery, so
> there's a chance you may be able to get useful info and possibly even a
> working snort setu
On Sat, 09 Jun 2012 13:51:00 +0200, jca+o...@wxcvbn.org (Jérémie
Courrèges-Anglas) wrote:
> Kostas Zorbadelos writes:
>
>> Hello all,
>
> Hi
>
>> there is a need to restrict a specific type of DNS queries (ANY queries)
>> in our nameservers. We faced a DDoS attack in our resolvers and the
>> th
Kostas Zorbadelos writes:
> there is a need to restrict a specific type of DNS queries (ANY queries)
> in our nameservers. We faced a DDoS attack in our resolvers and the
> thing is that we could not simply cut access to DNS resolution to
> specific client IPs, the queries came from our own unsus
Kostas Zorbadelos writes:
> Hello all,
Hi
> there is a need to restrict a specific type of DNS queries (ANY queries)
> in our nameservers. We faced a DDoS attack in our resolvers and the
> thing is that we could not simply cut access to DNS resolution to
> specific client IPs, the queries came
* Kostas Zorbadelos [2012-06-09 13:12]:
> We used IPtables and the string module to match a specific signature of
> the problematic queries and it worked quite well (in our attack case the
> problematic queries had a very specific and simple pattern).
> The question is, if we had OpenBSD and PF a
Hello all,
there is a need to restrict a specific type of DNS queries (ANY queries)
in our nameservers. We faced a DDoS attack in our resolvers and the
thing is that we could not simply cut access to DNS resolution to
specific client IPs, the queries came from our own unsuspecting
customers.
Th
16 matches
Mail list logo
