On Thu, 31 Jan 2013, Cliff Stanford wrote:
Just before 09:00 this morning we saw a 100 Mbps port saturated. Upon
investigation the traffic appears to be DNS responses to requests that
were never made.
Is this a known DDoS attack, it's a new one on me? Any suggestions on
how to deal it?
Yes we had such an attack against one of our customers a few weeks ago.
Depending on how distributed the attack is, you may be able to filter
traffic on the host/firewall as the attack traffic will probably involve a
lot more traffic from certain hosts than others. Also others suggested
that if you're using BIND, some rate limiting modules can be effective, or
consider another DNS server daemon in the longer term which can cope
better with it.
seb
