ISC.org DRDoS Update 2: Problems with .nl Netherlands TLD
I provided a netfilter rule in my last update that indiscriminately drops packets containing the string “isc.org” on port 53/UDP which I have had to implement on a client’s network due to one of their name servers being targeted as an amplifier in a UDP bandwidth-starvation DRDoS attack. I was afraid this sort of blunt-object type of approach might have unforeseen ramifications when I wrote a snort rule of similar design and today one has reared its ugly head. It turns out this string is part of the payload in transactions with (at least) the .nl root servers. This would not normally be much of a problem for a small Canadian network but for the fact the registered name servers for kijiji.ca (a popular free classifieds site) are all under .nl.
As you can see, my friends haven’t taken the hint and buggered off to greener pastures yet; the spike correlates with my removing and replacing the netfilter rule. You’ll notice the inbound stays steady after the outbound drops off, that’s because the packets are only being dropped at the name servers rather than the gateway as usual (I double-wrap for his pleasure).
I have a number of options and currently I find none of them particularly satisfactory. For the interim the solution has been to provide clients with a secondary name server off the network. More to come?