Rudolf Leitgeb <rudolf.leit...@gmx.at> writes: > Am Samstag, den 09.06.2012, 14:11 +0300 schrieb Kostas Zorbadelos: >> The situation is similar but not the same as the one discribed here: >> >> https://isc.sans.edu/diary.html?storyid=13261 >> >> We used IPtables and the string module to match a specific signature of >> the problematic queries and it worked quite well (in our attack case the >> problematic queries had a very specific and simple pattern). > > Mitigating this with snort looks much uglier than the beautiful and > elegant iptables counter measure posted in this list. Not sure how it > holds up under load, though. >
In our case (nameservers handling thousands of queries per second) and during the time of attack multiple times that, it worked with negligible performance impact. The actual network traffic however was in the order of 40-50 Mbps per server. > Since the attacker uses fixed patterns, he/she seems to be a script > kiddy, and there is a good chance that the TTL can be used to identify > his/her packets. My approach would be to check what TTLs the packets > have vs. those from your clients and see whether you can filter based > on that. > What do you mean identify and filter based on TTL? In our case the attacker used a specific query for a single domain. > Rudi > Kostas
