Re: [44net] DDoS via net44

Indeed that is a big mistake :-) But it is good that you know that and so you can take countermeasures. Normally after a couple of days this flood will stop, although there is always some remaining noise from other kinds of DDoS. E.g. systems on internet sending a DNS request like that to a resolver they want to attack, with (one of) your address(es) as the source. The resolver will send back the large "reply" to your system and there is nothing that can be done about it. The source address of the packets is the system under attack, and it is no use sending an abuse message to them because they cannot do anything either (except blocking DNS requests from 44.x.x.x addresses, but that could result in "problems" for legitimate users in our network). This problem can only be solved by widespread adoption of BCP38 (source address filtering), and the takeup is slow. Anyway, when configuring your firewall make sure you have a "default deny" policy and allow only the protocols that you know you are using. This is especially true for UDP. e.g. SNMP (UDP port 161) is another attack vector similar to what you have seen now. Don't allow SNMP from the internet. Best is to allow only what you really need, and for protocols like NTP (UDP 123) make sure that it is correctly configured so that it only does time replies to internet addresses and does not allow queries except from the local network. (queries can return much more data than the size of the query packet so they are used in amplification attacks, time replies are the same size as the request) Rob _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net