koldfront

Under attack?! #net

Yesterday evening my home router started acting up. Instead of ping showing a latency of a couple of ms it went up to hundreds, and on top of that it started dropping 40-80% of the packets.

I tried turning it off and on again, wildly guessing that my ISP maybe had done some kind of upgrade or something.

It started up nicely, but then bogged down again. After a while I looked at the smokeping graph, which confirmed that something was wrong:

I noticed that on my three DNS servers, one behind this router and two on VPS's, named was in the top of the CPU usage list. Hm.

ngrep'ing traffic on port 53 revealed a single IP doing a lot of requests for asjo.org. As in thousands.

I even got a warning from one of the VPS hosters telling me about the sudden spike in outbound traffic.

I started dropping the packets from that IP on the servers, and in the router, the outbound traffic disappeared, and my router no longer suffered. Yay!

It seems like a weird low-key DoS attack, but it's kind of hard to understand. It's not that disruptive - luckily - and it seems to come from one IP-address only.

Well, almost. After I started dropping all packets from that IP, another one showed up as excessively active, so I started dropping packet from that one as well. Almost as soon as I did, the barrage from this second IP stopped completely.

The first IP, however, is still sending UDP packets at some 1-2 MBps to each VPS, here more than 24 hours later. Go figure.

I know that various people mistake my domain asjo.org for something else from time to time (when I had a Twitter account @asjo that also happened quite a bit), but what this IP-address - apparently somewhere in central China - has against my DNS servers, I can't tell. It's odd.