From owner-freebsd-hackers@FreeBSD.ORG Mon Nov 26 01:06:00 2007 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 960C016A417 for ; Mon, 26 Nov 2007 01:06:00 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with SMTP id 37FF313C465 for ; Mon, 26 Nov 2007 01:06:00 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 31467 invoked by uid 399); 26 Nov 2007 01:05:59 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTP; 26 Nov 2007 01:05:59 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <474A1BF4.5060901@FreeBSD.org> Date: Sun, 25 Nov 2007 17:05:56 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.9 (X11/20071119) MIME-Version: 1.0 To: "Joel V." References: <003301c82e99$6c099360$0200a8c0@windsor> In-Reply-To: <003301c82e99$6c099360$0200a8c0@windsor> X-Enigmail-Version: 0.95.5 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org Subject: DNS DDoS X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2007 01:06:00 -0000 Joel V. wrote: > As a lot of people recommended using tcpdump, here it is. The only thing > that stands out, are hundreds and thousands of lines like this: > > 13:45:49.991592 IP 82.165.252.222.36887 > ns1.galandrex.ee.43077: UDP, > length 9216 ... > That IP resolves to u15194704.onlinehome-server.com. Seems to be a german > ISP. After five seconds the capture.out file was already 2.8MB. You can see > the file here: https://89.219.136.126/capture.out Your name server IP is not answering, so I'm guessing here, but it seems to me that you're being used as a reflector for a DNS based DDoS attack. If ns1.galandrex.ee is not authoritative for any domains (i.e., not listed at any registries/registrars as the NS for a domain), you should make sure that it's firewalled off so that the outside world cannot reach it. This type of attack is becoming very common, but fortunately the answer is simple. If you need any help with the DNS side of the equation feel free to contact me directly. Doug -- This .signature sanitized for your protection