nanog mailing list archives
Re: DNS deluge for x.p.ctrc.cc
From: Barrett Lyon <blyon () prolexic com>
Date: Sun, 26 Feb 2006 22:02:17 -0500
I thought I would chime in quickly, one of my customers has been one of the targets of this attack. The x.p.ctrc.cc DNS server was shut down on the 15th, the response itself had a 360000 TTL so that should be expired by now.
On this end of it, the largest traffic spike we received was around 8 Gbps. The last time we saw this traffic was on the 21st around 2 GMT with traffic at about 2 Gbps, it has lost a lot of steam. If you see unusual DNS traffic to AS32787 or 72.52.0.0/18, chances are it is part of this attack or the attacker setup a new RR to query against.
I've yet to see a copy of the malware that is doing the spoofed queries itself. If anyone has it, I would like to take a look.
Thanks and I am really impressed with everyone's reaction to this attack. Especially Rob Thomas, he really has a grip on it.
Cheers, -Barrett
Current thread:
- Re: DNS deluge for x.p.ctrc.cc, (continued)
- Re: DNS deluge for x.p.ctrc.cc Randy Bush (Feb 25)
- Re: DNS deluge for x.p.ctrc.cc Paul Vixie (Feb 26)
- Re: DNS deluge for x.p.ctrc.cc Paul Vixie (Feb 26)
- Re: DNS deluge for x.p.ctrc.cc Jon Lewis (Feb 26)
- Re: DNS deluge for x.p.ctrc.cc Joe Provo (Feb 25)
- Re: DNS deluge for x.p.ctrc.cc Joe Abley (Feb 26)
- Re: DNS deluge for x.p.ctrc.cc Christopher L. Morrow (Feb 26)
- Re: DNS deluge for x.p.ctrc.cc Paul Vixie (Feb 26)
- Re: DNS deluge for x.p.ctrc.cc bmanning (Feb 26)
- Re: DNS deluge for x.p.ctrc.cc Paul Vixie (Feb 26)
- Message not available
- Re: DNS deluge for x.p.ctrc.cc Barrett Lyon (Feb 26)
- Re: DNS deluge for x.p.ctrc.cc Rob Thomas (Feb 27)