Need advice.
Someone else owns a domain which has a botnet (IRC) being pointed at it. The guy has changed the DNS entry of this domain to point to my IP, so the botnet is focused on my Linode.
Is there anything I can do about this?
I can't shut down the IRCd, because it's part of a network and there's people using it.
P.S. It's not putting any strain on the servers at all, so please don't like… null route my IP…
1 Reply
If his provider won't help, you could tarpit the bot IPs. The upside of a tarpit is that you minimise the amount of traffic that the attack generates for your Linode and reduce resource utilisation. The down side is that you can end up crashing or seriously overloading the attacking machines, which may provoke a more serious attack, which in turn will cause caker to null route your IP. If the attack is not causing serious problems then just ride it out.
If you decide to go with a tarpit, you need to get round the problem that the netfilter patch-o-matic for the tarpit target has been rejected for inclusion in the regular NF source tree (at the Netfilter Developers Conference last month), so it won't be available on Linodes any time soon. (This is an educated guess - I'm assuming that caker won't want to put half baked patch-o-matic stuff in his production kernels.) One possible solution is to use the dbtarpit component of SpamCannibal, with its configuration files modified to suit IRC instead of mail. It looks as if this only requires CONFIGIPNFCONNTRACK and CONFIGIPNFQUEUE, which are both in the Linode kernels.