[bitfolk] IsPrime DNS DOS Attack

My VPS seems have been also targeted as an unwitting participant in this attack ... http://www.merit.edu/mail.archives/nanog/msg14471.html cod:~# tshark "port domain and (host ns.isprime.com or host ns2.isprime.com)" Capturing on eth0 0.000000 66.230.160.1 -> 212.13.194.x DNS Standard query NS <Root> 1.142336 66.230.160.1 -> 212.13.194.x DNS Standard query NS <Root> 1.611227 66.230.128.15 -> 212.13.194.x DNS Standard query NS <Root> 2.521652 66.230.160.1 -> 212.13.194.x DNS Standard query NS <Root> 3.615401 66.230.128.15 -> 212.13.194.x DNS Standard query NS <Root> 5.481957 66.230.160.1 -> 212.13.194.x DNS Standard query NS <Root> 5.622538 66.230.128.15 -> 212.13.194.x DNS Standard query NS <Root> ... I think you get the idea. Until I firewalled [1] these hosts from my DNS server, I was bouncing back failures to the (legitimate) hosts; apparently the incoming packets are being spoofed to over 750,000 DNS servers causing the "real" hosts to get DOS'd by the failure responses (5Gbit of traffic :S). Not sure if any one else is experiencing the same issue, (I only noticed as I run an iftop for other reasons). ~Mat -- [1] # iptables -I 1 INPUT -p udp --dport domain -s ns2.isprime.com -j DROP # iptables -I 1 INPUT -p udp --dport domain -s ns.isprime.com -j DROP