On Aug 1, 2011, at 9:22 AM, Mark Andrews wrote:
> And even if DNS/TCP was use by default machines can still get DoS'd because
> IP is spoofable.
They can be DDoSed with spoofed or non-spoofed packets, and there are defenses
against such attacks.
Apologies if I was unclear - my point was that
In message , "Dobbins, Roland"
writes:
> On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:
>
> > Named already takes proper precautions by default. Recursive service is =
> limited to directly connected networks by default. The default
> > was first changed in 9.4 (2007) which is about to go end
On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:
> Named already takes proper precautions by default. Recursive service is
> limited to directly connected networks by default. The default
> was first changed in 9.4 (2007) which is about to go end-of-life once the
> final wrap up release is done
In message <09d7a1d0-0b13-4570-8891-835ca6568...@arbor.net>, "Dobbins, Roland"
writes:
>
> On Jul 31, 2011, at 9:15 AM, "Jimmy Hess" wrote:
>
> > Is there an RFC specifying precisely what are considered the proper prec=
> autions?
> > "precautions" should ideally be enabled in BIND by default
On Jul 31, 2011, at 9:15 AM, "Jimmy Hess" wrote:
> Is there an RFC specifying precisely what are considered the proper
> precautions?
> "precautions" should ideally be enabled in BIND by default.
Not of which I'm aware. I'm happy to contribute to any efforts you or anyone
else are volunteeri
On Sat, Jul 30, 2011 at 5:53 PM, Dobbins, Roland wrote:
> On Jul 31, 2011, at 3:08 AM, Jimmy Hess wrote:
> > A good example, would be services such as OpenDNS.
> One can argue a) that services like OpenDNS aren't necessarily a Good Thing
> when run by those who don't take the proper precautions
More good stuff here: http://www.team-cymru.org/Services/Resolvers/
Frank
-Original Message-
From: Dobbins, Roland [mailto:rdobb...@arbor.net]
Sent: Friday, July 29, 2011 5:40 PM
To: NANOG list
Subject: Re: DNS DoS ???
On Jul 30, 2011, at 1:51 AM, Elliot Finley wrote:
> my DNS serv
On Jul 31, 2011, at 3:08 AM, Jimmy Hess wrote:
> A good example, would be services such as OpenDNS.
One can argue a) that services like OpenDNS aren't necessarily a Good Thing
when run by those who don't take the proper precautions and b) that OpenDNS in
particular is run by smart, responsible
On Sat, Jul 30, 2011 at 11:33 AM, Drew Weaver wrote:
> And at this point he may as well just ACL in-front of the recursors to
> prevent the traffic from hitting the servers thus reducing load needed to
> reject the queries on the servers themselves.
>
>
A problem for providers of DNS recursive se
With these types of attacks, usually anycast will cause rolling
outages. Anycast gives you failover, which makes sure the attack (and
good) traffic makes it to the next available server to be impaired or
taken offline.
On Jul 30, 2011, at 1:01 PM, Alex Nderitu wrote:
> Dns anycast can in addit
I don't think anycast works the way you think it does. It'll distribute load
for single dns servers, but not the case that he is describing.
-j
On Sat, Jul 30, 2011 at 12:01 PM, Alex Nderitu wrote:
> Dns anycast can in addition to acl help distribute load.
> On Jul 30, 2011 9:44 PM, "Jon Lewis
Dns anycast can in addition to acl help distribute load.
On Jul 30, 2011 9:44 PM, "Jon Lewis" wrote:
> On Sat, 30 Jul 2011, Drew Weaver wrote:
>
>>> my DNS servers were getting slow so I blocked recursive queries for all
>>> but my own network.
>>
>> This should be the standard practice. By opera
On Sat, 30 Jul 2011, Drew Weaver wrote:
my DNS servers were getting slow so I blocked recursive queries for all
but my own network.
This should be the standard practice. By operating an open recursor,
you lend your DNS server to abuse as a contributor to DNS
reflection/amplification attacks
-Original Message-
From: Dobbins, Roland [mailto:rdobb...@arbor.net]
Sent: Friday, July 29, 2011 6:40 PM
To: NANOG list
Subject: Re: DNS DoS ???
On Jul 30, 2011, at 1:51 AM, Elliot Finley wrote:
> my DNS servers were getting slow so I blocked recursive queries for all but
>
On Jul 30, 2011, at 1:51 AM, Elliot Finley wrote:
> my DNS servers were getting slow so I blocked recursive queries for all but
> my own network.
This should be the standard practice. By operating an open recursor, you lend
your DNS server to abuse as a contributor to DNS reflection/amplificat
I've seen this for the same on about 3 sets of nameservers I operate. fail2ban
doing a 72 hour iptables drop rule.
-Original Message-
From: Drew Weaver [mailto:drew.wea...@thenap.com]
Sent: Friday, July 29, 2011 3:01 PM
To: 'Elliot Finley'; nanog@nanog.org
Subje
We've been seeing this for several years on and off.
thanks,
-Drew
-Original Message-
From: Elliot Finley [mailto:efinley.li...@gmail.com]
Sent: Friday, July 29, 2011 2:51 PM
To: nanog@nanog.org
Subject: DNS DoS ???
my DNS servers were getting slow so I blocked recursive querie
I see this all the time on my personal servers. I finally just told bind
to stop logging it.
On 07/29/2011 02:51 PM, Elliot Finley wrote:
my DNS servers were getting slow so I blocked recursive queries for
all but my own network.
Then I was getting so many of these:
ns2 named[5056]: client 78
Ping me offline, there are a few other folks who have seen this as well. The
isc.org record is commonly used in reflection attacks because the size of the
record is so large, so the amplification factor is greatly increased. Can you
check to see if +edns=0 was set in the query? That would be
my DNS servers were getting slow so I blocked recursive queries for
all but my own network.
Then I was getting so many of these:
ns2 named[5056]: client 78.159.111.190#25345: query (cache)
'isc.org/ANY/IN' denied
that is was still slowing things down. I've since written a script to
watch the lo
20 matches
Mail list logo