[nsp] DNS DoS, limiting options

james hackerwacker at tarpit.cybermesa.com
Fri May 23 13:14:40 EDT 2003 

At present we have just one primary DNS server, which is being DoS'ed at 12 hour intervals.
Net-flows indicates this is just on port 53. I have Snorted the traffic (just the headers) & all sources are friendly
DNS servers,
ie, well known providers. It has taken a while for me to make enough space to dump all external port 53 traffic
in binary, but this is now in place. We are working several issues with configs to stop this huge amount of traffic,
there are several issues that have stacked up, & altogether these issue cause 250kbps and above amounts of traffic
to happen for about 20 mis, every 12 hrs. We have moved up plans to upgrade BIND and diversify our
primary DNS servers. Binary dumps indicate this is not hostile, just due to a complex set of conditions
and misconfigs bu several parties. Our secondary NS, at our upstream, is trying like crazy to get a PTR on one of our
webservers,
and the PTR was broke. Now fixed. Still working on some complex issues with our MX, which goes to Postini, and not our
mail server, but we get pounded with PTR requests for this MX. All will be clear as soon as I get a full binary capture
of this whole event.

Questions for the list:

I have tried some rate-limiting and traffic shaping at about the 100kbps level, as this seems to be the rate at which
BIND dies. However, it seems policing makes things worse. Given that this is legit traffic, this seem to make sense;
dropping just make things take longer.
It does seem as I rate limit more, say from 120k down to 100k, then we get hit with more traffic. But these 2 events
may not be related as this problem may just be getting worse on its own.
Once I realized the traffic was legit and not hostile, I moved to traffic shaping ( edge and core are 7206's,
DS-3 connects to internet). Am I going the wrong way with traffic policing ? Should I ask upstream to drop/shape ?
Other suggestions ? It is going to be a day or so before I get all issues resolved to stop this so I am looking for a
short term solution.


James Edwards
Routing and Security
jamesh at cybermesa.com
At the Santa Fe Office: Internet at Cyber Mesa

More information about the cisco-nsp mailing list