New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
And then... what? You want to close 8.8.8.8 down now?
Most open DNS servers are very good by now in preventing misuse.
An open resolver is never a hacked system. They are configured either wrong or intentional open. No sane hacker would install a DNS server somewhere just to use it for DDoS, especially if he has root access and can just send packets directly.
Do you have any kind of information about the attack? Packet length, structure, impact etc?
I respect your expertise and all, anyway sometimes you are so focused on some details you seem to lose the general meaning of some of the posts you quote. hackers/crackers/skids/abusers are terms often users interchangeably even if they are not supposed to be really the same; chihcherng seems to contemplate various hypothesis but he doesn't really seem to imply that an hacker would get root access to install BIND...
About reporting DNS resolvers, for sure it would be pointless to report any and all open DNS resolver but, as bsdguy hinted, providers should be vigilant and reporting abusing (or abused) IP ranges won't harm (on the contrary, you could learn who's professional and who's not). No more than ~6 hours ago I received another mail from OVH confirming that they blocked yet another failover IP I previously reported for UDP flood. Their response time seems to be around ~24 hours (except on week-ends). Reporting abuse patterns to providers is a pain but if everyone were doing that, it wouldn't be that much of a pain maybe
People on let could use Some training on understanding a ddos attack.
Possibly, however:
Most DDoS these days is NOT DNS based at all and in size they are only minor; the attack that succeeded them is in fact already dead as well (NTP) and the one after that dies also by now.
Problematic attacks are again TCP based and botnets like in IRC times (nowadays IoT and routers, not systems) - this is a logical path as services utilising UDP either switch to TCP to avoid issues/DDoS or never used it in the first place, so can entirely drop it and prevent attacks.
You seem to think abuse sent to ISPs is always valid, or real, this is a gross misconception.
Abuse is absolutely not to be trusted - people use DMCA to get owner data and try to force their will, and send fake logs/dumps to get customers shut down.
Sending abuse is fine, but expecting it to work on especially notorious uncooperative ISPs that are the major sources (CU, CT, PTT) is wishful thinking, because you have no legal enforcement ability and they do not need to care.
What you do works on OVH. Or Leaseweb. Or hell, even Rostelecom. But this absolutely does not work in China or Brazil. They do not need to care and do not care.