Re: Recent DNS attacks from China?

[Chris Adams <cmadams () hiwaay net>]

Once upon a time, Leland Vandervort <leland () taranta discpro org> said:
> I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses?  Over 
> the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million 
> PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
>
> This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, 
> never anything of this type.

I'm seeing something similar.  The requests are to our authoritative
servers, and appear to be mostly for a small number of domains at a time
(they are all domains we are authoritative for).  They are all ANY
queries, often repeated for the same domain rapidly.  The requests come
from one IP at a time, but move to another IP in a minute or two.

This does NOT appear to be related to the recent BIND vulnerability.
-- 
Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.