Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DOS attack against DNS?

  • From: Joe Shen
  • Date: Tue Jan 17 12:03:00 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.sg; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=SOU28Mj0AJqO2yQOYF7CjlBrj67k7ZT8rsK3XbfEXtY7mYZKZa/L4eLGJzTtOBF3fY3dNJeekE/9KSA4hcLaBmePjo0uhB5R7cgUHNgtMaU03be+2gYHTzv7Z+Ul7aPGEuY5HdBLmxCqn2cA8w5qhMl42ib0wth3hBwrVwbHqr4= ;

Last saturday one of our Web server experienced a TCP
SYN attck which make the system down for four hours.
It seems there is not a good solution which could
detect & defend DoS traffic at any time.  

So, to the class ANY queries, should we only filtering
out class any queries on public cache servers ?  To my
understandings, the amplifying result could also be
reached by query type any.

Joe 


--- Alon Tirosh <j0keralpha@gmail.com> wrote:

> Admitted, i did not notice the type/class
> difference. I responded as a knee
> jerk reaction, and that is my mistake.
> 
> For the second part, the any query type is useful
> (when targeted at either
> your NS and/or public NS servers) to quickly alert
> to issues such as the one
> being discussed with GoDaddy and Nectartech right
> now on this list.
> 
> Pick and/or set up an NS server that is TTL agnostic
> (flameArmor: this
> system is to be used for disparate up-to-date checks
> only, and I know by
> spec this is far from foolproof but its saved my ass
> a couple times in the
> past) and checks disparate roots and its useful for
> finding or alerting to
> major name system, registrar ,and provider issues
> quickly.
> 
> Im diverging off-topic, im sure. gnight.
> 
> On 1/17/06, william(at)elan.net <william@elan.net>
> wrote:
> >
> >
> > Did you notice that it was class "ANY" and not
> type "ANY" that Paul noted?
> > I've never ever heard of it being used
> anywhere....
> >
> > As for ANY query type, what do you think will
> happen when you query with
> > "ANY" to a host in a domain that is not in your
> local dns server cache?
> > And btw if it is in your dns cache, how
> predictable do you think such
> > results are going to be???
> >
> > On Tue, 17 Jan 2006, Alon Tirosh wrote:
> >
> > > Not true,. the ANY query has mutliple uses for
> consolidating multiple
> > > diagnostic queries into a single display, and
> also for diversion
> > monitoring
> > > systems on small domains or groups of same. Not
> all of us have the
> > resources
> > > (or time) of large ISPs behind us.
> > >
> > > On 15 Jan 2006 17:27:40 +0000, Paul Vixie
> <vixie@vix.com> wrote:
> > >>
> > >>> client xx.xx.xx.xx#6704: query: z.tn.co.za ANY
> ANY +E
> > >>
> > >> class "ANY" has no purpose in the real world,
> not even for
> > debugging.  if
> > >> you see it in a query, you can assume malicious
> intent.  if you hear it
> > in
> > >> a query, you can safely ignore that query, or
> at best, map it to class
> > >> "IN".
> > >> --
> > >> Paul Vixie
> >
> 



	
	
		
__________________________________ 
Do you Yahoo!? 
New and Improved Yahoo! Mail - 1GB free storage! 
http://sg.whatsnew.mail.yahoo.com




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.