nanog mailing list archives

Re: DNS dDos Attack!

From: Kevin Houle <kjh () cert org>
Date: Fri, 28 Mar 2003 09:52:40 -0500

--On Friday, March 28, 2003 09:28:48 AM -0500 Dan Armstrong<dan () beanfield com> wrote:

Sorry, I lied.  We are running 8.34Release

What I cannot figure out is why *our* name server is sending out ICMP
unreachables.  The incoming dns queries are coming from random
destinations....


Are you sure the inbound attack packets are really valid queries, or are
they responses? I ask because in the classic DDoS-via-nameservers attack,
the victim will receive answers from a slew of other nameservers and send
out ICMP unreachables. See

 http://www.cert.org/incident_notes/IN-2000-04.html

Kevin

Current thread:

DNS dDos Attack! Dan Armstrong (Mar 28)
- Re: DNS dDos Attack! Stephen J. Wilcox (Mar 28)
- Message not available
  - Re: DNS dDos Attack! Dan Armstrong (Mar 28)
    - Re: DNS dDos Attack! Jared Mauch (Mar 28)
    - Re: DNS dDos Attack! Kevin Houle (Mar 28)