Hi All,
hoping someone can help shed some light.
for the last 7 days my external DNS servers have been targeted by a well know BotNET. Essetially the perpetrators are attempting to hammer my DNS servers with bad DNS requests.
Neither of my DNS servers are sitting out on the net, I publish them with some static Nats.
The question is this; I original became aware because the IDS subsystem on the router was alerting me to the suspicious traffic:
%IPS-4-SIGNATURE: Sig:4620 Subsig:0 Sev:2 DNS Limited Broadcast Query [the.attacker.ip.addy:21749 -> my.dns.server.ip:53]
I decided the best way to protect us with the least amount of overhead was to blackhole the host:
ip route the.attacker.ip.addy 255.255.255.255 null0
In the past when I blackhole an ip or a range, the traffic stops being logged. In this case I am still logging tens of thousands of hits per day just as before the blackhole.
Does this mean I have an acl that is allowing the traffic in anyhow?
Don't routes get processed before acls?
What is the best way to deal with this situation with the least amount of overhead?
Thanks In Advance for any light you can shed on this problem.
hoping someone can help shed some light.
for the last 7 days my external DNS servers have been targeted by a well know BotNET. Essetially the perpetrators are attempting to hammer my DNS servers with bad DNS requests.
Neither of my DNS servers are sitting out on the net, I publish them with some static Nats.
The question is this; I original became aware because the IDS subsystem on the router was alerting me to the suspicious traffic:
%IPS-4-SIGNATURE: Sig:4620 Subsig:0 Sev:2 DNS Limited Broadcast Query [the.attacker.ip.addy:21749 -> my.dns.server.ip:53]
I decided the best way to protect us with the least amount of overhead was to blackhole the host:
ip route the.attacker.ip.addy 255.255.255.255 null0
In the past when I blackhole an ip or a range, the traffic stops being logged. In this case I am still logging tens of thousands of hits per day just as before the blackhole.
Does this mean I have an acl that is allowing the traffic in anyhow?
Don't routes get processed before acls?
What is the best way to deal with this situation with the least amount of overhead?
Thanks In Advance for any light you can shed on this problem.