Slow service early this morning and the temporary unavailability of mail.eskimo.com was the result of a denial of service attack where upon our name servers were used as amplifiers in a denial of service attack aimed at us. I had to lower the external view rate limit because of this, hopefully it is still adequate to service legitimate requests.
There are aspects of this attack that I do not understand. They forged an address of 220.127.116.11 from outside (udp packets so no three-way connect) and directed requests at 18.104.22.168, so our name servers would attempt to reply to 22.214.171.124 but there was no host on that IP address and the result was that our router didn’t know what to do with it and it overloaded it logging what it considered “Martian” packets.
The puzzling aspect of this is I have a firewall rule that SHOULD block all traffic from an external interface which has an internal address. I was able to mitigate the attack by blackholeing 126.96.36.199 at the name servers and rate limiting responses.
Ad blocker detected: Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker on our website.
What's Up With Eskimo's Community!
1 post • Page 1 of 1
Users browsing this forum: No registered users and 18 guests