[nsp-sec] DNS Type 2 (Authoritative NS) query for "." DDoS ongoing-> Attn AS 23393 (ISPrime)
Smith, Donald
Donald.Smith at qwest.com
Tue Jan 20 11:13:13 EST 2009
In this case I was looking at traffic towards the set of victim's addresses udp 53.
I didn't look for interfaceIndex = 0 but that is a good idea:)
Donald.Smith at qwest.com<mailto:Donald.Smith at qwest.com>
Please cc the handlers to keep them all in the loop.
________________________________
From: Danny McPherson [danny at tcb.net]
Sent: Tuesday, January 20, 2009 9:07 AM
To: Smith, Donald
Cc: White, Gerard; nsp-security at puck.nether.net
Subject: Re: [nsp-sec] DNS Type 2 (Authoritative NS) query for "." DDoS ongoing-> Attn AS 23393 (ISPrime)
On Jan 20, 2009, at 9:03 AM, Smith, Donald wrote:
> That is a possiblity but in most cases packets that get dropped
> STILL create netflow. I know that is true for acl dropped packets in
> at least most cases.
> Not sure about urpf or other bcp38 methods.
Ahh, right, if you're pulling flows from those routers
then reported egress ifIndex should be 0. Do you guys
look for those records, or BCP 38 violation counts, or
are you looking at flows from those ingress PEs?
-danny
More information about the nsp-security
mailing list