Hacker News new | comments | show | ask | jobs | submit login

I had one of my clients have the same thing happen to them 3 nights in a row about 10 days ago. All of the sudden they got dumped a ton of traffic out of no where. Torrent tracker updates and what seemed like legitimate traffic routed to the wrong ip. Then after about an hour most of it stopped. During the attack and after we changed some firewall settings and clamped down our request per second and connection per ip limits on the web servers. One big change was having the web servers respond 444 to any host request that was not configured (i.e. default). So if someone came to the ip looking for say google.com they would get a 444 response as it is obviously misrouted traffic.

Then the next day the same thing happened but much more traffic. The 444 change helped some but there was just too much traffic for the web servers to handle quickly so they bogged down to a crawl. Luckily we were able to figure out through severfault and some other searches that it appears to be DNS poisoning coming from China. We ended up banning the entire country.

The third day the same thing happened but because we had blocked the traffic from China at our outside firewall the servers were unaffected. Since then we have seen some flashes of traffic being blocked but not nearly as much as before.

In all cases the increased volume of traffic only lasted about an hour. The only thing I can surmise about the length of time is DNS records only being cached for about an hour. So after that time the poisoned cached DNS records were replaced by the real resolving ip address. In the case of the article's author their servers suffered a much longer attack than we did. I am not sure if it is the Chinese government doing it or an attack for hire scheme using holes in many Chinese based DNS servers.

TLDR; Remove default server settings from your web servers and have the default server block respond 444 or 404. This may help stave off the attack until your incoming traffic takes up all available resources of the web servers. Of course you could always block all traffic based in China like we did.

Here is info on the status codes incase you are curious: http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_C...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: