nanog mailing list archives
Re: isprime DOS in progress
From: Aaron Hopkins <lists () die net>
Date: Wed, 21 Jan 2009 10:21:23 -0800 (PST)
On Wed, 21 Jan 2009, Phil Rosenthal wrote:
This attack has been ongoing on 66.230.128.15/66.230.160.1 for about 24 hours now, and we are receiving roughly 5Gbit of attack packets from roughly 750,000 hosts.
I'm only receiving NS queries for "." from spoofed 66.230.128.15 and 66.230.160.1 via above.net (of my three transit providers) and none from peering. This usually indicates a single source, such as one rooted machine on non-BCP38 net spewing most of a gigabit.
Given the attack is still in progress, I can't really say much more publicly, but suffice to say, we're working on the situation.
Have you had any luck tracking back the source of the spoofed packets? If me talking to above.net sounds useful, let me know. -- Aaron
Current thread:
- Any ATT DNS admins out there? Mike Lyon (Jan 09)
- isprime DOS in progress Todd T. Fries (Jan 20)
- Re: isprime DOS in progress Graeme Fowler (Jan 21)
- Re: isprime DOS in progress Phil Rosenthal (Jan 21)
- Re: isprime DOS in progress Aaron Hopkins (Jan 21)
- Re: isprime DOS in progress Graeme Fowler (Jan 21)
- RE: isprime DOS in progress Justin Krejci (Jan 21)
- Re: isprime DOS in progress, and Re: DNS Amplification attack? Dale Carstensen (Jan 21)
- Re: isprime DOS in progress Graeme Fowler (Jan 21)
- Re: isprime DOS in progress Harald Koch (Jan 21)
- Re: isprime DOS in progress Bjørn Mork (Jan 22)
- Re: isprime DOS in progress Phil Rosenthal (Jan 23)
- RE: isprime DOS in progress Steven Lisson (Jan 23)
- Re: isprime DOS in progress Joe Abley (Jan 23)
- RE: isprime DOS in progress Luke Sheldrick (Jan 23)
- Re: isprime DOS in progress Chris McDonald (Jan 23)
- isprime DOS in progress Todd T. Fries (Jan 20)