nanog mailing list archives
Re: DNS requests from 209.67.50.203
From: Kevin Houle <kjh () cert org>
Date: Wed, 10 Jan 2001 09:36:27 -0500
John Kristoff wrote:
On a university list many sites are reporting large amounts of traffic appearing to come from 209.67.50.203 to their DNS servers. The administrator of the source IP (spoofed of course) is the victim of a brutal DoS attack. The traffic is UDP/DNS queries that are appear to be going directly to available DNS servers (as opposed to random hosts). Most sites are reporting on the order of 6 or more packets per second to their DNS servers. The victim has apparently seen upwards of 90 Mb/s of traffic coming back in to them. Does anyone here have anymore information on this attack?
In general, this attack method is known. There is some information about it documented at: Denial of Service Attacks Using Nameservers http://www.cert.org/incident_notes/IN-2000-04.html Regards, Kevin
Current thread:
- PSI as transit carrier Jason Lixfeld (Feb 24)
- Re: PSI as transit carrier Andy Walden (Feb 24)
- Re: PSI as transit carrier Omachonu Ogali (Feb 24)
- Re: PSI as transit carrier Christian Nielsen (Feb 24)
- DNS requests from 209.67.50.203 John Kristoff (Feb 24)
- Re: DNS requests from 209.67.50.203 Kevin Houle (Feb 24)