Ok, so some of you have heard about my recent experience with a Nigerian 419er and how he's been unsuccessfully DDoSing me for literally days(I turned off my firewall for a second to see that he's surely still goin at it).
Then today suddenly my internet went out again. I noticed in wireshark that I was receiving absolutely nothing but outbound DNS requests to two different IP's, but many different name servers. After some basic network troubleshooting and about 1000 more DNS requests, all outbound, I started thinking that this was a DNS amplification attack. Seems there isn't much one can do about such attacks. At least, according to le interweb. I tried a couple different iptables rules to no avail. I don't understand DNS amplification as well as I should, but I guess iptables doesn't do much against this.
Anyway, after some time of almost calling it quits because I was tired and feeling stupid, I went it to my router to poke around. I noticed that in the settings I had it set to a static DNS address. All I did was switch that to get dynamically from ISP, as well as my IP address, and suddenly everything went back to normal. Does this make sense?
Let me cut this straight.
A 'DNS amplification attack' works by requesting a packet from a server (pref UDP) and spoof the source address.
Thus the tradeoff between request size and response has to be positive.
1kb in 10kb out, stuff like that.
But I do not really believe you can see this traffic on the LAN side, if you do something is really off.
Unless you have some fancy bridged modem setup, the modem's firewalling functions should drop the packets from the outside when they obviously where not initiated by the LAN side, there is simply no open port to allow the connections in, in most cases only the NAT table would be responsible for these open ports.
Since the port was triggered from the inside you should not have any internal traffic.
Modem logging is a different thing.
It can flatline by having to drop a lot of UDP traffic, Ive seen modems crying for this reason.
