up_the_irons: mercutio: yeah, i can't type all those letters with both shift keys pressed frots: bad keyboard up_the_irons: brycec: our router won't let traffic leave that is not from the vlan subnet; so no spoofing brycec: up_the_irons: yeah I figured. up_the_irons: mercutio: any request dns attacks? brycec: but user said that traffic was leaving with the proper (vlan) ip
*shrug* up_the_irons: mnathani: yes, i believe so. my *.arpnetworks.com wildcard cert is on different servers.
brycec: yeah, *shrug*
something wrong on his setup, b/c we use OpenVPN ourselves and many other customers do as well brycec: I do too up_the_irons: cool mercutio: up_the_irons: host -t any arpnetworks.com 4.2.2.2
type attacks
what they do is find open recursive servers and spam them with any requests for legitimate domains ***: userZero has quit IRC (Remote host closed the connection) mercutio: the recursive servers then keep hitting you again and again with any request for a valid domain name hitting authorative server ***: userZero has joined #arpnetworks mercutio: luckly, it seemed to stop, and not last too long
he may not have been natting his vpn trafic
up_the_irons: ... well i've started shifting to blocking all port 53 unless needed to somewhere
i've generally been of the limited firewall mindset.
ie "allow most things, don't get in the way constantl"
y
that said i also block port 445 :)
as soon as you're forwarding for lots of addresses though, constant port hits show up a bit more up_the_irons: mercutio: yeah we can't block port 53 on our dns cuz that's in heavy use :) mercutio: up_the_irons: yeh, i understand, i'm running dns on vm myself :)
in multiple locations mind you.
up_the_irons: do you block unused ips?
wee
tracing to 174.136.111.255 loops for instance
that being a broadcast address normally...
cos like when ip probes hit... things like that can loop a bit too up_the_irons: mercutio: no blocking for unused IPs ***: frots has left "WeeChat 0.3.9.2" mercutio: it was only 2 megabit or something of traffic about 12 hours ago or so
for a few hours
but sustained
but that could add up, if it lasted a long time
but for some reason, if your domain get included it'll get hit reasonably often over tiem from random ips.
and any requests are meant to give more response than how much data sent
i think they're spoofing and trying to hit the pesron doing the query
err that it masquerades as ***: cullum has joined #arpnetworks
cullum has quit IRC (Quit: ZNC - http://znc.in)
cullum has joined #arpnetworks
dzup has quit IRC (Ping timeout: 260 seconds)
dzup has joined #arpnetworks
xxza has joined #arpnetworks
xxza has quit IRC ()
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Ping timeout: 255 seconds)
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host)
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Ping timeout: 255 seconds)
jamiej has joined #arpnetworks jamiej: hello
busy here, I see (!) RandalSchwartz: it's quiet... too quiet. :) brycec: LOUD NOISES RandalSchwartz: loud? brycec: LOUD! RandalSchwartz: LOUD? :) -: brycec wishes there were a super-caps mercutio: super-caps? RandalSchwartz: papayrus caps
because... well... that font rocks mercutio: never heard of it
i use consolas jamiej: ooooh, so my client doesn't beep on new messages it seems :-) mercutio: heh
that's a good thing? :) jamiej: not sure yet.
it may be configurable..... just waiting on my new arpnetworks vps!
.... they aren't late - I'm just impatient! staticsafe: :) jamiej: ah well, 3.00am here, may as wel try again tomorrow
good night/evening/morning whatever! ***: jamiej has quit IRC ()
Webhostbudd has joined #arpnetworks brycec: lol super-caps, to be even louder than "LOUD"... somehow ***: Lucifer7 has quit IRC (Ping timeout: 246 seconds)
Lucifer7 has joined #arpnetworks