said by OOLost :said by cablewizzard:One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS. Can you be specific about the inbound traffic? Is it coming from a very large number of IP source addresses, and going to port 53/udp on one of your 5 static IPs?
I've identified two networks which I've now denied in the ACL instead of killing off all port 53 traffic:
ip access-list extended Deny-DDoS-ACL
deny ip 72.8.128.0 0.0.63.255 any
deny ip 209.205.64.0 0.0.31.255 any
permit ip any any
This ACL is applied to the interface as:
ip access-group Deny-DDoS-ACL in
Yesterday, this ACL had been:
deny udp any any eq domain
The above was a temporary fix until I had the time today to sort out all of the IPs which were sourcing the flood.
I'll leave it to you to determine if the routers in these networks are "P-o-crap Belkins."
said by cablewizzard:Do you run a (registered) authoritative DNS server as a matter of regular business at the IP the traffic is going to?
Yes.
said by cablewizzard:How does this impact your service, specifically your outbound traffic (DNS, HTTP)? If you have nothing responding to that traffic, it should NOT be filling your upstream.
Since ACLing the offenders, it's not too too bad. There's still a load of crap banging away on the incoming WAN interface.
said by cablewizzard:No, OOL will not do anti-DDoS filtering for static-IP, unless the DDoS becomes so great that other subscriber's service is impacted - this is not part of the service as described.
Also, your ACL'ing of such traffic is likely wrong: if DoS traffic is inbound to 53/udp, then that's all you should filter, not OUTBOUND TO 53/udp, cause that's your own, presumably legit DNS queries.
Right. Learn Cisco IOS.
ip access-group Deny-DDoS-ACL in
--------------------------------------^^
It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.
Sorry but don't get acrimonious with me.
isn't there a networking forum you can post this on? don't see how this issue is being caused by cablevisions services