Slow service early this morning and the temporary unavailability of mail.eskimo.com was the result of a denial of service attack where upon our name servers were used as amplifiers in a denial of service attack aimed at us.  I had to lower the external view rate limit because of this, hopefully it is still adequate to service legitimate requests.

     There are aspects of this attack that I do not understand.  They forged an address of 204.122.16.248 from outside (udp packets so no three-way connect) and directed requests at 204.122.16.8, so our name servers would attempt to reply to 204.122.16.248 but there was no host on that IP address and the result was that our router didn’t know what to do with it and it overloaded it logging what it considered “Martian” packets.

     The puzzling aspect of this is I have a firewall rule that SHOULD block all traffic from an external interface which has an internal address.  I was able to mitigate the attack by blackholeing 204.122.16.248 at the name servers and rate limiting responses.