RE: DNS Attacks

[Drew Weaver <drew.weaver () thenap com>]

We ran into a 25Gbps SNMP 'reply/amplification attack' from a cable modem network about a month ago.

Hopefully the particular network has fixed that issue now, but it was a banner day to be sure.

Thanks,
-Drew


-----Original Message-----
From: virendra rode [mailto:virendra.rode () gmail com] 
Sent: Wednesday, January 18, 2012 8:58 AM
To: nanog () nanog org
Subject: Re: DNS Attacks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi -

We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at 
~ 4gbps for a duration of 30mins.

Tracking the source of an attack is simplified when the source is more likely to be "valid".

The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing 
(uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly 
lessen.

As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service".


regards,
/virendra

On 01/17/2012 09:04 PM, toor wrote:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries 
> coming from various IP ranges in China. I have been trying to find a 
> pattern in the attacks but so far I have come up blank. I am completly 
> guessing these are possibly DNS amplification attacks but I am not 
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in 
> question are authoritive for (I can't really see any pattern there, 
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10 
> minutes before stopping and then a break of 30 minutes or so before 
> another attack from a different IP range
> - Every IP range has been from China
>
> I have limited the number of queries that can be done to mitigate this 
> but its messing up my pretty netflow graphs due to the spikes in 
> flows/packets being sent.
>
> Does anyone have any ideas what the reasoning behind this could be? I 
> would also be interested to hear from anyone else experiencing this 
> too.
>
> I can provide IP ranges from where I am seeing the issue but it does 
> vary a lot between the attacks with the only pattern every time being 
> the source address is located in China. I read a thread earlier, 
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact 
> thing I am seeing.
>
> Thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe
vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L
=HsEg
-----END PGP SIGNATURE-----