| < | January 2009 | > | ||||
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
Unless you've been living under a rock, or you don't run a DNS server, you must have noticed quite a lot of queries for "." over the last couple of days.
This NANOG thread sums it up nicely:
http://www.merit.edu/mail.archives/nanog/msg14553.html
If your nameserver is configured correctly (not responding to queries for zones you're not authoritative for), the only real problem with this attack is that syslog will be polluting your logfiles with "query denied" entries a couple of times every second.
This gets old quickly.
I happen to have a PF firewall sitting in front of my nameserver:
table <ddos_targets> { \
# list of hosts
}
block drop in quick proto udp from <ddos_targets> port != 53 to any port 53
Using pfctl -t ddos_targets -T add ... I can easy add more hosts to the table when they start filling my logfiles. Firewalls can make life so easy.
Copyright © 2005–2010 Philip Paeps
All rights reserved.