[nsp-sec] DNS DDoS against Softlayer

Wed May 27 13:50:26 EDT 2009

Teams,
The sources from the packeting we took last week are attached - anyone know of bots or C&Cs related?

Can folks from Rackspace, SoftLayer, or other please post sources for correlation?

The attack seemed primarily composed of IP packets set to protocol type UDP with an invalid payload. The more-fragments bit was always set. We've also seen non-more-fragments packets with invalid payloads of specific packet lengths, 540 bytes and 1480 bytes.

Here are the filters being used to mitigate:

term DNS-Frag {
    from {
        destination-prefix-list {
            DNSServers;
        }
        fragment-flags more-fragments;
        destination-port domain;
    }
    then {
        count dns-fragment;
        log;
        discard;
    }
}
term DNS-BadSize {
    from {
        destination-prefix-list {
            DNSServers;
        }
        packet-length [ 540 1480 ];
        destination-port domain;
    }
    then {
        count dns-badsize;
        log;        
        discard;
    }
}

Regards,
Tom

-- 
Tom Daly
Dynamic Network Services, Inc.
P: +1-603-296-1537
http://dynamicnetworkservices.com/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: asninfo-20090520.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090527/a9074f40/attachment-0001.txt>