[Dshield] DNS DOS attempt. need a bit of help

Stephane Grobety security at admin.fulgan.com
Mon Jan 26 18:06:02 GMT 2004


Hello,

Since last week, my server is the target of a DOS atempt against DNS.
Some IPs in Holland tries to saturate the server with root requests
(at a arte of several thousands per seconds). The server is holding
out without problem (it's configured to auto-block anyone sending more
than 100 requests per seconds and I have also blocked the specific IP
on the IP level) but I would like this assault to stop.

The attacker is 217.120.182.35 wich is a DSL address in home.nl. My
main problem is that I'm strictly unable to read their web page in
order to find neither their phone number nor their abuse address.
Could someone who understand the language give me a hand there ?

My other problem is the following: This particular attacker is pretty
dumb but I'm worried at what could happen if he brightens up and start
spoofing it's source IP, either with random IPs, making it impossible
for me to simply block him based on that criteria or using IPs of
innocent third-parties which would either make my machine deny service
to them or effectively using my DNS server as a traffic amlifier,
flooding them with UDP packets. What kind of counter-measures exists
to stop that kind of issues ?

Thanks,
Stephane





More information about the list mailing list