New type of DDoS? Anyone saw it?
John W. Blue
john.blue at rrcic.com
Mon May 16 15:44:27 UTC 2016
Hello Marek,
Do you have an IPv6 assignment? If not, there is really no need to even be resolving AAAA records. An overly simplistic description of a potential solution could be to just drop the incoming AAAA request via its hex value in much the same way rate limiting is done for the "any" query:
–hex-string '|0000FF0001|'
I don't know off hand what the hex value for AAAA is but it should not be too hard to find.
John
Sent from Nine<http://www.9folders.com/>
From: Marek Królikowski <admin at wset.edu.pl>
Sent: May 16, 2016 10:04 AM
To: bind-users at lists.isc.org
Subject: New type of DDoS? Anyone saw it?
Hello,
Today i saw my bind eat almost 90% of RAM when i check logs I find
interesting DDoS on my DNS Cluster today:
16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 323.016.231.212
IN AAAA + (8X.1X0.Y.Y)
16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: slip response to
8X.1X0.33.0/24 for . IN AAAA (00000000)
16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: query: 235.326.031.064
IN AAAA + (8X.1X0.Y.Y)
16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: drop response to
8X.1X0.33.0/24 for . IN AAAA (00000000)
16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: query: 331.206.372.214
IN AAAA + (8X.1X0.Y.Y)
16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: slip response to
8X.1X0.33.0/24 for . IN AAAA (00000000)
Looks like IN AAAA query about wrong IPv4 address... i got almost 5000/sec
Anyone saw this too?
Best Regards
Marek
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160516/9f4f80ac/attachment.html>
More information about the bind-users
mailing list