nanog mailing list archives
Re: DNS Attacks
From: Joel jaeggli <joelja () bogus com>
Date: Wed, 18 Jan 2012 00:35:07 -0800
On 1/17/12 23:45 , Leigh Porter wrote:
On 18 Jan 2012, at 05:06, "toor" <lists () 1337 mx> wrote:Hi list, I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).
Given the the pps rate and the cps rate of DNS requests are rather similar one expects the value of inspecting unsolicited queries to your nameserver to be rather low.
It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.
Current thread:
- DNS Attacks toor (Jan 17)
- Re: DNS Attacks Mark Andrews (Jan 17)
- Re: DNS Attacks Christopher Morrow (Jan 17)
- Re: DNS Attacks Leigh Porter (Jan 17)
- Re: DNS Attacks Dobbins, Roland (Jan 18)
- Re: DNS Attacks Joel jaeggli (Jan 18)
- Re: DNS Attacks Ken A (Jan 19)
- Re: DNS Attacks virendra rode (Jan 18)
- RE: DNS Attacks Drew Weaver (Jan 18)
- <Possible follow-ups>
- Re: DNS Attacks Dennis (Jan 18)
- RE: DNS Attacks Leigh Porter (Jan 18)
- Re: DNS Attacks Nick Hilliard (Jan 18)
- Re: DNS Attacks Christopher Morrow (Jan 18)
- Re: DNS Attacks Steven Bellovin (Jan 18)
- Re: DNS Attacks Christopher Morrow (Jan 18)
- Re: DNS Attacks Cameron Byrne (Jan 18)
- RE: DNS Attacks Leigh Porter (Jan 18)