nanog mailing list archives
Re: Attack on the DNS ?
From: sthaug () nethelp no
Date: Sat, 31 Mar 2012 22:28:17 +0200 (CEST)
We already have this type of attack in Bucharest/Romania since last Friday. The targets where IP's of some local webhosters, but at one moment we event saw IP's from Go Daddy. Tcpdump will show something like: 11:10:41.447079 IP target > open_resolver_ip.53: 80+ [1au] ANY? isc.org. (37) 11:10:41.447082 IP target > open_resolver_ip.53: 59147+ [1au] ANY? isc.org. (37) 11:10:41.447084 IP target > open_resolver_ip.53: 13885+ [1au] ANY? isc.org. (37) After one week the attack has been mostly mitigated, and the remaining open resolvers are probably windows servers. Apparently in bill'g world is impossible to restrict the recursion.
This is a spoofed source amplification/reflection attack, and is really going on all the time. It has nothing to do with any possible Anonymous attack on the root name servers. ANY queries for isc.org and ripe.net are popular (ietf.org has also been seen), since they give a potentially large amplification factor. Steinar Haug, Nethelp consulting, sthaug () nethelp no
Current thread:
- Attack on the DNS ? Marshall Eubanks (Mar 31)
- Re: Attack on the DNS ? sthaug (Mar 31)
- Re: Attack on the DNS ? Adrian Minta (Mar 31)
- Re: Attack on the DNS ? sthaug (Mar 31)
- Re: Attack on the DNS ? Lamar Owen (Mar 31)
- Re: Attack on the DNS ? Greg Ihnen (Mar 31)
- Re: Attack on the DNS ? Greg Ihnen (Mar 31)
- Re: Attack on the DNS ? Greg Ihnen (Mar 31)
- Re: Attack on the DNS ? Ameen Pishdadi (Mar 31)
- Re: Attack on the DNS ? sthaug (Mar 31)
- Re: Attack on the DNS ? Valdis . Kletnieks (Mar 31)
- <Possible follow-ups>
- Re: Attack on the DNS ? Stephane Bortzmeyer (Mar 31)