nanog mailing list archives

Re: really nasty attacks

From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Thu, 27 Sep 2012 12:12:50 -0400

On Sep 27, 2012, at 11:34 , Stephane Bortzmeyer <bortzmeyer () nic fr> wrote:

On Thu, Sep 27, 2012 at 08:55:58AM -0600, Miguel Mata <mmata () intercom com sv> wrote 
a message of 30 lines which said:

Guys,


No gals on NANOG?


Many.  Although in fairness, some people use "guys" in a gender-neutral manner.

The attacks comes from various sites from the other side of the pond
(46.165.197.xx, 213.152.180.yy).


How can you be sure? With UDP, you have zero guarantee on the source
IP address. (Checking the TTL can give you a hint if the packets
really come from the same point.)

Source and destination port? If source port is 53, it may means you're
the target of a DNS reflection+amplification attack, a la CloudFlare
<http://blog.cloudflare.com/65gbps-ddos-no-problem>.


I do not know of any name servers that reply to queries with UDP packets filled with only the letter X.  The DNS 
Headers alone require more than the letter "X".

-- 
TTFN,
patrick

Current thread:

really nasty attacks Miguel Mata (Sep 27)
- Re: really nasty attacks Jared Mauch (Sep 27)
- Re: really nasty attacks Stephane Bortzmeyer (Sep 27)
  - Re: really nasty attacks Patrick W. Gilmore (Sep 27)
    - Re: really nasty attacks Jim Mercer (Sep 27)
    - guys != gender neutral Jo Rhett (Sep 27)
    - Re: guys != gender neutral Owen DeLong (Sep 27)
    - Re: guys != gender neutral Jay Ashworth (Sep 27)
    - RE: guys != gender neutral Eric Wieling (Sep 27)
    - Re: guys != gender neutral Landon Stewart (Sep 27)
    - Re: guys != gender neutral Jethro R Binks (Sep 27)
    - Re: guys != gender neutral Larry Stites (Sep 27)
    - RE: guys != gender neutral Lorell Hathcock (Sep 27)
    - Re: guys != gender neutral Aled Morris (Sep 28)

(Thread continues...)