[nycbug-talk] dns abuse
Dan Langille
dan at langille.org
Thu Jan 22 11:41:36 EST 2009
Andy Kosela wrote:
> Yarema <yds at coolrat.org> wrote:
>
>> I was seeing the same sort of high load from
>>
>> 66.230.128.15
>> 66.230.160.1
>> 69.50.142.11
>> 69.50.142.110
>> 76.9.16.171
>> 76.9.31.42
>>
>> as Max originally reported. So since I'm not returning anything to the
>> "." query yet I am getting hit with repeated queries from the IPs above,
>> doesn't it stand to reason that my servers are the ones getting DDoSed
>> and not the other way around?
>
> Those source ip's are spoofed. Dan's link can be helpful:
>
> http://isc.sans.org/diary.html?storyid=5713
>
> As I understand it, there is no "proper" way to fix it in BIND9.
FWIW, I was running a bind from base under FreeBSD 6.3. Upgrading to
bind in ports allowed that box to pass the test in question.
Other boxes, running 7.x passed the test. I compared the named.conf
files from the various boxes. There was nothing significant in the
configuration differences.
--
Dan Langille
BSDCan - The Technical BSD Conference : http://www.bsdcan.org/
PGCon - The PostgreSQL Conference: http://www.pgcon.org/
More information about the talk
mailing list