Home page logo
/

nanog logo nanog mailing list archives

Re: DNS Attacks
From: Henry Linneweh <hrlinneweh () sbcglobal net>
Date: Sat, 18 Feb 2012 11:02:25 -0800 (PST)



http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html


________________________________
From: toor <lists () 1337 mx>
To: nanog () nanog org 
Sent: Tuesday, January 17, 2012 9:04 PM
Subject: DNS Attacks

Hi list,

I am wondering if anyone else has seen a large amount of DNS queries
coming from various IP ranges in China. I have been trying to find a
pattern in the attacks but so far I have come up blank. I am completly
guessing these are possibly DNS amplification attacks but I am not
sure. Usually what I see is this:

- Attacks most commonly between the hours of 4AM-4PM UTC
- DNS queries appear to be for real domains that the DNS servers in
question are authoritive for (I can't really see any pattern there,
there are about 150,000 zones on the servers in question)
- From a range of IP's there will be an attack for approximately 5-10
minutes before stopping and then a break of 30 minutes or so before
another attack from a different IP range
- Every IP range has been from China

I have limited the number of queries that can be done to mitigate this
but its messing up my pretty netflow graphs due to the spikes in
flows/packets being sent.

Does anyone have any ideas what the reasoning behind this could be? I
would also be interested to hear from anyone else experiencing this
too.

I can provide IP ranges from where I am seeing the issue but it does
vary a lot between the attacks with the only pattern every time being
the source address is located in China. I read a thread earlier,
http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
thing I am seeing.

Thanks


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]