Re: DNS requests from 209.67.50.203 (fwd)

[Joe Shaw <jshaw () INSYNC NET>]

The following came across the NANOG list today.  Anyone else experiencing
this?  I have not seen mention of this specific attack previously, but
realize that I may have overlooked it.

Regards,
--
Joseph W. Shaw
Sr. Network Security Specialist for Big Company not to be named.
I have public opinions, and they have public relations.

---------- Forwarded message ----------
Date: Tue, 09 Jan 2001 19:24:39 -0500
From: Steven M. Bellovin <smb () research att com>
To: jtk () aharp is-net depaul edu
Cc: nanog () merit edu
Subject: Re: DNS requests from 209.67.50.203


In message <3A5BA3C3.CEAAD37D () depaul edu>, John Kristoff writes:
> I'm surprised this hasn't come up in NANOG yet...
>
> On a university list many sites are reporting large amounts of traffic
> appearing to come from 209.67.50.203 to their DNS servers.  The
> administrator of the source IP (spoofed of course) is the victim of a
> brutal DoS attack.  The traffic is UDP/DNS queries that are appear to be
> going directly to available DNS servers (as opposed to random hosts).
> Most sites are reporting on the order of 6 or more packets per second to
> their DNS servers.  The victim has apparently seen upwards of 90 Mb/s of
> traffic coming back in to them.  Does anyone here have anymore
> information on this attack?

Yes, it's a DDoS attack, of the type that Vern Paxson has dubbed
"refletor attacks".  You send a forged DNS query to a DNS server; it
sends its reply to the victim.  Then you have lots of hosts around the
net doing this, but banging on different DNS servers.



                --Steve Bellovin