Re: Recent DNS attacks from China?

[Ryan Rawdon <ryan () u13 net>]

On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote:

> -----Original Message-----
> From: Rob.Vercouteren () kpn com [mailto:Rob.Vercouteren () kpn com] 
> Sent: Wednesday, November 30, 2011 3:05 PM
> To: MatlockK () exempla org; richard.barnes () gmail com; andrew.wallace () rocketmail com
> Cc: nanog () nanog org; leland () taranta discpro org
> Subject: RE: Recent DNS attacks from China?
>
> Yes it is, but the problem is that our servers are "attacking" the so called source address. All the answers are 
> going back to the "source". It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are 
> spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY 
> queries for all the domains.
>
> I still wonder how it is still possible that ip addresses can be spoofed nowadays

We're a smaller shop and started receiving these queries last night, roughly 1000 queries per minute or less.  We're 
seeing that the source (victim) addresses are changing every few minutes, the TTLs vary within a given source address, 
and while most of the source/victim addresses have been Chinese we are seeing a few which are not, such as 74.125.90.83 
(Google).  The queries are coming in to ns1.traffiq.com (perhaps ns2 also, I haven't checked) and are for 
traffiq.com/ANY which unfortunately gives a 492 byte response.


> =================
>
> Rob,
>
> Transit providers can bill for the denial of service traffic and they claim it's too expensive to run URPF because of 
> the extra lookup.
>
> -Drew