Under attack?! #net
Yesterday evening my home router started acting up. Instead of ping showing a latency of a couple of ms it went up to hundreds, and on top of that it started dropping 40-80% of the packets.
I tried turning it off and on again, wildly guessing that my ISP maybe had done some kind of upgrade or something.
It started up nicely, but then bogged down again. After a while I looked at the smokeping graph, which confirmed that something was wrong:
I noticed that on my three DNS servers, one behind this router and two
on VPS's, named
was in the top of the CPU usage list. Hm.
ngrep
'ing traffic on port 53 revealed a single IP doing a lot of
requests for asjo.org
. As in thousands.
I even got a warning from one of the VPS hosters telling me about the sudden spike in outbound traffic.
I started dropping the packets from that IP on the servers, and in the router, the outbound traffic disappeared, and my router no longer suffered. Yay!
It seems like a weird low-key DoS attack, but it's kind of hard to understand. It's not that disruptive - luckily - and it seems to come from one IP-address only.
Well, almost. After I started dropping all packets from that IP, another one showed up as excessively active, so I started dropping packet from that one as well. Almost as soon as I did, the barrage from this second IP stopped completely.
The first IP, however, is still sending UDP packets at some 1-2 MBps to each VPS, here more than 24 hours later. Go figure.
I know that various people mistake my domain asjo.org
for something
else from time to time (when I had a Twitter account @asjo
that also
happened quite a bit), but what this IP-address - apparently somewhere
in central China - has against my DNS servers, I can't tell. It's odd.
Add comment
To avoid spam many websites make you fill out a CAPTCHA, or log in via an account at a corporation such as Twitter, Facebook, Google or even Microsoft GitHub.
I have chosen to use a more old school method of spam prevention.
To post a comment here, you need to:
- Configure a newsreaderยน to connect to the server
- Open the newsgroup called
ยน Such as Thunderbird, Pan, slrn, tin or Gnus (part of Emacs).koldfront.dk
on port1119
using nntps (nntp over TLS).lantern.koldfront
and post a follow up to the article.Or, you can fill in this form: