Home page logo

nanog logo nanog mailing list archives

Re: DNS Amplification attack?
From: jay () miscreant org
Date: Wed, 21 Jan 2009 14:08:25 +1100

On Tue, Jan 20, 2009 at 9:16 PM, Kameron Gasso <kgasso-lists () visp net> wrote:

We're also seeing a great number of these, but the idiots spoofing the
queries are hitting several non-recursive nameservers we host - and only
generating 59-byte "REFUSED" replies.

Looks like they probably just grabbed a bunch of DNS hosts out of WHOIS
and hoped that they were recursive resolvers.

First post to this list, play nice :)

Are you sure about this? I'm seeing these requests on /every/ (unrelated) NS I have access to, which numbers several dozen, in various countries across the world, and from various registries (.net, .org, .com.au). The spread of servers I've checked is so random that I'm wondering just how many NS records they've laid their hands on.

I've also noticed that on a server running BIND 9.3.4-P1 with recursion disabled, they're still appear to be getting the list of root NS's from cache, which is a 272-byte response to a 61-byte request, which by my definition is an amplification.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]