nanog mailing list archives

Re: DNS Attacks

From: Joel jaeggli <joelja () bogus com>
Date: Wed, 18 Jan 2012 00:35:07 -0800

On 1/17/12 23:45 , Leigh Porter wrote:



On 18 Jan 2012, at 05:06, "toor" <lists () 1337 mx> wrote:

Hi list,

I am wondering if anyone else has seen a large amount of DNS
queries coming from various IP ranges in China. I have been trying
to find a pattern in the attacks but so far I have come up blank. I
am completly guessing these are possibly DNS amplification attacks
but I am not sure. Usually what I see is this:


At various seemingly random times over the past week I have had a DNS
which is behind a firewall come under attack. The firewall is
significant because the attacks killed the firewall as it is rather
under specified (not my idea..).


Given the the pps rate and the cps rate of DNS requests are rather
similar one expects the value of inspecting unsolicited queries to your
nameserver to be rather low.

It did originate from Chinese address space and consisted of DNS
queries for lots of hosts. There was also a port-scan in the traffic
and a SYN attack on a few hosts on the same small subnet as the DNS,
a web server and an open SSH port.

Current thread:

DNS Attacks toor (Jan 17)
- Re: DNS Attacks Mark Andrews (Jan 17)
- Re: DNS Attacks Christopher Morrow (Jan 17)
- Re: DNS Attacks Leigh Porter (Jan 17)
  - Re: DNS Attacks Dobbins, Roland (Jan 18)
  - Re: DNS Attacks Joel jaeggli (Jan 18)
  - Re: DNS Attacks Ken A (Jan 19)
- Re: DNS Attacks virendra rode (Jan 18)
  - RE: DNS Attacks Drew Weaver (Jan 18)
- <Possible follow-ups>
- Re: DNS Attacks Dennis (Jan 18)
  - RE: DNS Attacks Leigh Porter (Jan 18)
    - Re: DNS Attacks Nick Hilliard (Jan 18)
    - Re: DNS Attacks Christopher Morrow (Jan 18)
    - Re: DNS Attacks Steven Bellovin (Jan 18)
    - Re: DNS Attacks Christopher Morrow (Jan 18)
    - Re: DNS Attacks Cameron Byrne (Jan 18)

(Thread continues...)