North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: DOS attack against DNS?
- From: Joe Shen
- Date: Tue Jan 17 12:03:00 2006
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.sg; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=SOU28Mj0AJqO2yQOYF7CjlBrj67k7ZT8rsK3XbfEXtY7mYZKZa/L4eLGJzTtOBF3fY3dNJeekE/9KSA4hcLaBmePjo0uhB5R7cgUHNgtMaU03be+2gYHTzv7Z+Ul7aPGEuY5HdBLmxCqn2cA8w5qhMl42ib0wth3hBwrVwbHqr4= ;
Last saturday one of our Web server experienced a TCP
SYN attck which make the system down for four hours.
It seems there is not a good solution which could
detect & defend DoS traffic at any time.
So, to the class ANY queries, should we only filtering
out class any queries on public cache servers ? To my
understandings, the amplifying result could also be
reached by query type any.
--- Alon Tirosh <firstname.lastname@example.org> wrote:
> Admitted, i did not notice the type/class
> difference. I responded as a knee
> jerk reaction, and that is my mistake.
> For the second part, the any query type is useful
> (when targeted at either
> your NS and/or public NS servers) to quickly alert
> to issues such as the one
> being discussed with GoDaddy and Nectartech right
> now on this list.
> Pick and/or set up an NS server that is TTL agnostic
> (flameArmor: this
> system is to be used for disparate up-to-date checks
> only, and I know by
> spec this is far from foolproof but its saved my ass
> a couple times in the
> past) and checks disparate roots and its useful for
> finding or alerting to
> major name system, registrar ,and provider issues
> Im diverging off-topic, im sure. gnight.
> On 1/17/06, william(at)elan.net <email@example.com>
> > Did you notice that it was class "ANY" and not
> type "ANY" that Paul noted?
> > I've never ever heard of it being used
> > As for ANY query type, what do you think will
> happen when you query with
> > "ANY" to a host in a domain that is not in your
> local dns server cache?
> > And btw if it is in your dns cache, how
> predictable do you think such
> > results are going to be???
> > On Tue, 17 Jan 2006, Alon Tirosh wrote:
> > > Not true,. the ANY query has mutliple uses for
> consolidating multiple
> > > diagnostic queries into a single display, and
> also for diversion
> > monitoring
> > > systems on small domains or groups of same. Not
> all of us have the
> > resources
> > > (or time) of large ISPs behind us.
> > >
> > > On 15 Jan 2006 17:27:40 +0000, Paul Vixie
> <firstname.lastname@example.org> wrote:
> > >>
> > >>> client xx.xx.xx.xx#6704: query: z.tn.co.za ANY
> ANY +E
> > >>
> > >> class "ANY" has no purpose in the real world,
> not even for
> > debugging. if
> > >> you see it in a query, you can assume malicious
> intent. if you hear it
> > in
> > >> a query, you can safely ignore that query, or
> at best, map it to class
> > >> "IN".
> > >> --
> > >> Paul Vixie
Do you Yahoo!?
New and Improved Yahoo! Mail - 1GB free storage!