My methodology is simple, analyze and ban :)
First Part
+ Baseline = Identifying the anomalies
* Using latency monitor .
-> smokeping, In-house scripts instead of dig I prefer using Net::DNS
for the customizable outout, etc... .
* Ratio of dns-query/dns-response (in/out mbps)
-> roughly in/out traffic in my cases are 1/4
* Ascii/RRD like graphs :), same as the above case, but just looking the
behavior of the traffic picture.
+ Random auditing, packet sampling in a limited time frame. It is best suited
for if you have got a lot of dns-servers and want to identify if there is an
amplification attack present or not.
-> tcpdump + grep/sed/awk + "wc -l" or dnstop :) ,etc..
Last Part
+Banning traffic : Signature of the packet (dns-type + dns query) then
importing them to firewall
Serhat Aslan
________________________________
From: Robert Schwartz <[email protected]>
To: [email protected]
Sent: Tuesday, September 11, 2012 6:52 AM
Subject: [dns-operations] DNS ANY record queries - Reflection Attacks
Hi All,
We run a bunch of authoritative servers and have recently observed activity
best described in a post we found here:
https://isc.sans.edu/diary/DNS+ANY+Request+Cannon+-+Need+More+Packets/13261
Using the iptables rules posted as a comment by Network Mouse (in the above
post), we've been able to reduce the amount of junk being sent to the target
host. Most of the target hosts seem to be in Asia, just like those mentioned in
the Sans post.
The question I have for you all is: Is this something affecting other
operators? How have you been dealing with it?
Thanks in advance for your feedback.
-Rob
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
