Re: New type of DDoS? Anyone saw it?

2016-05-16 Thread Marek Królikowski
Hello, I was thinking to block only client who do attacks something like this: /sbin/iptables --insert INPUT -s IP-ADDRESS-CLIENT-WHO-ATTACK -p udp --dport 53 -m string --from 40 --to 80 --algo bm --hex-string '|somethinghere|' -j DROP -m comment --comment "DROP DNS DDoS" Anyone know how

Re: New type of DDoS? Anyone saw it?

2016-05-16 Thread Mark Andrews
In message , "John W. Blue" writes: > Apologies. The intent is to drop inbound queries from the internet. Which is just as bad if they are pointing to a delegated server or are replies to queries from your recursive server. You slow up

Re: New type of DDoS? Anyone saw it?

2016-05-16 Thread John W. Blue
Apologies. The intent is to drop inbound queries from the internet. Sent from Nine<http://www.9folders.com/> From: Mark Andrews <ma...@isc.org> Sent: May 16, 2016 3:41 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: New type of DDoS? Anyone saw it? In message &l

Re: New type of DDoS? Anyone saw it?

2016-05-16 Thread Mark Andrews
In message , "John W. Blue" writes: > > Hello Marek, > > Do you have an IPv6 assignment? If not, there is really no need to even > be resolving records. An overly simplistic description of a > potential solution could be to just drop the

Re: New type of DDoS? Anyone saw it?

2016-05-16 Thread bert hubert
On Mon, May 16, 2016 at 09:20:17PM +0200, Marek Królikowski wrote: > Hello > I just call to one of the client who do this DDoS and he confirm, he use UBI > devices > Anyone know how to block all query like this: "query 331.206.372.214 IN > " with random AAA.XXX.YYY.ZZZ address?

RE: New type of DDoS? Anyone saw it?

2016-05-16 Thread Marek Królikowski
o:bert.hub...@netherlabs.nl] Sent: Monday, May 16, 2016 5:45 PM To: Marek Królikowski <ad...@wset.edu.pl> Cc: bind-users@lists.isc.org Subject: Re: New type of DDoS? Anyone saw it? On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote: > Today i saw my bind eat almost 90%

Re: New type of DDoS? Anyone saw it?

2016-05-16 Thread bert hubert
On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote: > Today i saw my bind eat almost 90% of RAM when i check logs I find > interesting DDoS on my DNS Cluster today: > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 323.016.231.212 > IN + (8X.1X0.Y.Y) This may be

Re: New type of DDoS? Anyone saw it?

2016-05-16 Thread John W. Blue
Hello Marek, Do you have an IPv6 assignment? If not, there is really no need to even be resolving records. An overly simplistic description of a potential solution could be to just drop the incoming request via its hex value in much the same way rate limiting is done for the "any"