[Outages-discussion] What Dyn IPs to look for in netflow?

Joe Abley jabley at hopcount.ca
Mon Oct 24 15:45:25 EDT 2016


Hi Andrew,

Actually most resolver code-bases don't behave like that; timeouts and
SERVFAIL responses cause the authority servers to be penalised (by address,
usually) and resolvers exercise something resembling an exponential
backoff.

The default configuration of some resolvers (some releases/packages of
unbound provide good examples) is such that intermittent failures reaching
particular servers can cause prolonged failures to resolve even while the
servers are actually reachable; the resolvers just don't try. People often
tune such resolvers to be more permissive of observed failures from
authority servers but the result is usually still far from what you seem to
be describing.

The ecosystem of devices that send queries to authority servers is diverse
and has a long tail, and I'm not suggesting that back-off behaviour above
is universal. The significant query sources we see do back off from the
conditions you described, though; they do not aggressively retry. I would
expect aggregate flow stats through connecting networks to reflect the
majority behaviour, not the outliers.


Joe

On Oct 24, 2016, at 15:34, Andrew Smith <andrew.william.smith at gmail.com>
wrote:

I'd caution against assuming that a significant spike in requests per
second to affected Dyn servers was definitely part of the attack. As long
as resolvers were receiving SERVFAILs and timeouts, they'll be generating
an abnormally large amount of retries.

Andrew

On Mon, Oct 24, 2016 at 12:04 PM, Outages <virendra.rode at outages.org> wrote:

> See if this helps,
>
> https://labs.ripe.net/Members/massimo_candela/a-quick-look-
> at-the-attack-on-dyn
>
> --
> regards,
> /vrode
>
> On Oct 22, 2016, at 6:48 PM, Charles Sprickman <spork at bway.net> wrote:
>
> I wanted to poke through our netflow data from Friday to see if any
> customers were involved.  Do we have any idea which Dyn IPs were being hit
> in the east coast attack?
>
> I’ve been poking around with sorting by packet count to UDP 53, but I’m
> not even sure this was an application level or volumetric attack.   Nothing
> is standing out (yet)…
>
> Thanks,
>
> Charles
> --
> Charles Sprickman
> NetEng/SysAdmin
> Bway.net - New York's Best Internet www.bway.net
> spork at bway.net - 212.982.9800
>
>
>
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
>
>
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
>
>
_______________________________________________
Outages-discussion mailing list
Outages-discussion at outages.org
https://puck.nether.net/mailman/listinfo/outages-discussion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages-discussion/attachments/20161024/83ffd1cc/attachment.html>


More information about the Outages-discussion mailing list