60 messages in edu.merit.nanogisprime DOS in progress| From | Sent On | Attachments |
|---|---|---|
| Mike Lyon | Jan 9, 2009 4:40 pm | |
| Todd T. Fries | Jan 20, 2009 12:54 pm | |
| Graeme Fowler | Jan 21, 2009 9:07 am | |
| Phil Rosenthal | Jan 21, 2009 9:27 am | |
| Justin Krejci | Jan 21, 2009 9:32 am | |
| Dale Carstensen | Jan 21, 2009 10:18 am | |
| Aaron Hopkins | Jan 21, 2009 10:21 am | |
| Harald Koch | Jan 21, 2009 10:23 am | |
| Graeme Fowler | Jan 21, 2009 11:31 am | |
| Bjørn Mork | Jan 22, 2009 3:01 am | |
| Phil Rosenthal | Jan 23, 2009 10:11 am | |
| Steven Lisson | Jan 23, 2009 11:46 am | |
| Luke Sheldrick | Jan 23, 2009 12:20 pm | |
| Joe Abley | Jan 23, 2009 12:32 pm | |
| Chris McDonald | Jan 23, 2009 1:21 pm | |
| Brian Keefer | Jan 23, 2009 2:26 pm | |
| Nathan Ollerenshaw | Jan 23, 2009 3:41 pm | |
| Mark Andrews | Jan 23, 2009 3:59 pm | |
| Noel Butler | Jan 23, 2009 5:50 pm | |
| Seth Mattinen | Jan 23, 2009 6:05 pm | |
| Jeffrey Lyon | Jan 23, 2009 6:13 pm | |
| Gadi Evron | Jan 23, 2009 6:17 pm | |
| Seth Mattinen | Jan 23, 2009 6:32 pm | |
| Vald...@vt.edu | Jan 23, 2009 7:31 pm | |
| Brandon Galbraith | Jan 23, 2009 7:34 pm | |
| Jamie A Lawrence | Jan 23, 2009 7:49 pm | |
| Frank Bulk | Jan 23, 2009 7:58 pm | |
| Christopher Morrow | Jan 23, 2009 8:10 pm | |
| Danny McPherson | Jan 23, 2009 8:53 pm | |
| David Conrad | Jan 23, 2009 9:06 pm | |
| Danny McPherson | Jan 23, 2009 9:16 pm | |
| Jack Bates | Jan 23, 2009 9:34 pm | |
| Roland Dobbins | Jan 23, 2009 10:03 pm | |
| Jon Kibler | Jan 24, 2009 7:01 am | |
| J.D. Falk | Jan 24, 2009 9:24 am | |
| Seth Mattinen | Jan 24, 2009 10:18 am | |
| Brian Keefer | Jan 24, 2009 11:03 am | |
| Michael Dillon | Jan 24, 2009 11:56 am | |
| David Conrad | Jan 24, 2009 2:38 pm | |
| Brian Keefer | Jan 24, 2009 4:50 pm | |
| Mark Andrews | Jan 24, 2009 5:01 pm | |
| Martin Hannigan | Jan 24, 2009 5:34 pm | |
| Mark Andrews | Jan 24, 2009 6:04 pm | |
| Paul Ferguson | Jan 24, 2009 6:12 pm | |
| Frank Bulk | Jan 24, 2009 7:00 pm | |
| Roger Marquis | Jan 24, 2009 9:32 pm | |
| Andrew Fried | Jan 24, 2009 9:53 pm | |
| Eugeniu Patrascu | Jan 25, 2009 1:07 am | |
| Brian Keefer | Jan 25, 2009 1:22 am | |
| James Hess | Jan 25, 2009 1:22 am | |
| Eugeniu Patrascu | Jan 25, 2009 1:56 am | |
| David Andersen | Jan 25, 2009 9:23 am | |
| Andrew Fried | Jan 25, 2009 11:46 am | |
| Michael Dillon | Jan 25, 2009 2:14 pm | |
| a.ha...@gmail.com | Jan 25, 2009 2:49 pm | |
| Lorell Hathcock | Jan 25, 2009 5:26 pm | |
| David Conrad | Jan 25, 2009 7:47 pm | |
| Brian Keefer | Jan 27, 2009 6:33 am | |
| Brian Keefer | Jan 27, 2009 6:41 am | |
| Xaver Aerni | Jan 27, 2009 7:37 am |
| Subject: | isprime DOS in progress | |
|---|---|---|
| From: | Todd T. Fries (nan...@email.fries.net) | |
| Date: | Jan 20, 2009 12:54:51 pm | |
| List: | edu.merit.nanog | |
You guys might want to be aware that isprime.com (I am not affiliated or representing them, just passing on info since friends and I noticed this) is actively under a DOS where lots of people's dns servers around the world are being queried with bogus sourced dns requests not from port 53 for 'NS? .'. This then bounces back to their authoritative nameservers which are getting traffic overload. They've asked that those of us that can should block all but port 53 from the following two IP's (their dns servers as seen on whois) so as not to block legitimate dns info:
66.230.128.15 66.230.160.1
Here is the response from their abuse department:
To: to...@fries.net Subject: Re: dos info? From: ISPrime Support <supp...@isprime.com> Date: Tue, 20 Jan 2009 15:16:02 -0500 (EST)
Hello,
These are the result of a spoofed dns recursion attack against our servers. The
actual packets in question (the ones reaching your servers) do NOT originate
from our network as such there is no way for us to filter things from our end.
If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these
machines make legitimate outbound dns requests so an inbound filter of packets
to udp/53 from either of these two sources is perfect.
If you are receiving queries from 66.230.128.15/66.230.160.1 these servers are
authoritative nameservers. Please do not blackhole either of these IPs as they
host many domains. However, these IPs do not make outbound DNS requests so
filtering requests to your IPs from these ips with a destination port of 53
should block any illegitimate requests.
An ACL similar to: access-list 110 deny udp host 66.230.160.1 neq 53 any eq 53 access-list 110 deny udp host 66.230.128.15 neq 53 any eq 53 Is what you want.
I would also suggest taking a look at the excellent CYMRU secure bind template
(assuming you are running bind), to help you configure your nameservers so that
you do not participate in this attack:
http://www.cymru.com/Documents/secure-bind-template.html.
Thanks for your help in mitigating this attack against us.
Please let me know if I can be of further assistance.
ISPrime Support supp...@isprime.com ICQ: 136633378
On 2009-01-20, at 15:14:33, "Todd T. Fries" <to...@fries.net> wrote:
I was told to write here for your writeup on what to block and such to help you guys out given the DOS that is ongoing.
Thanks,
-- Todd Fries .. to...@fries.net
_____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Penned by Mike Lyon on 20090109 16:41.04, we have: | If so, would you mind hitting me up offlist? I have a few questions that i | am unable to get answered through normal channels. | | Cheers, | Mike