Home page logo

nanog logo nanog mailing list archives

Re: Recent DNS attacks from China?
From: Joel Maslak <jmaslak () antelope net>
Date: Fri, 2 Dec 2011 08:23:56 -0700

Other than being non-compliant, is an "ANY" query used by any major
software?  Could someone rate limit ANY responses to mitigate this
particular issue?

On Fri, Dec 2, 2011 at 8:17 AM, Leland Vandervort <
leland () taranta discpro org> wrote:

Yup.. they're all "ANY" requests.  The varying TTLs indicates that they're
most likely spoofed.  We are also now seeing similar traffic from RFC1918
"source" addresses trying to ingress our network (but being stopped by our
border filters).

Looks like the kiddies are playing....

On 2 Dec 2011, at 16:02, Ryan Rawdon wrote:

On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote:

-----Original Message-----
From: Rob.Vercouteren () kpn com [mailto:Rob.Vercouteren () kpn com]
Sent: Wednesday, November 30, 2011 3:05 PM
To: MatlockK () exempla org; richard.barnes () gmail com;
andrew.wallace () rocketmail com
Cc: nanog () nanog org; leland () taranta discpro org
Subject: RE: Recent DNS attacks from China?

Yes it is, but the problem is that our servers are "attacking" the so
called source address. All the answers are going back to the "source". It
is huge amplification attacks. (some sort of smurf if you want) The ip
addresses are spoofed (We did a capture and saw all different ttl's so
coming from behind different hops) And yes we saw the ANY queries for all
the domains.

I still wonder how it is still possible that ip addresses can be
spoofed nowadays

We're a smaller shop and started receiving these queries last night,
roughly 1000 queries per minute or less.  We're seeing that the source
(victim) addresses are changing every few minutes, the TTLs vary within a
given source address, and while most of the source/victim addresses have
been Chinese we are seeing a few which are not, such as
(Google).  The queries are coming in to ns1.traffiq.com (perhaps ns2
also, I haven't checked) and are for traffiq.com/ANY which unfortunately
gives a 492 byte response.



Transit providers can bill for the denial of service traffic and they
claim it's too expensive to run URPF because of the extra lookup.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]