nanog mailing list archives

Re: Recent DNS attacks from China?

From: sthaug () nethelp no
Date: Wed, 30 Nov 2011 21:45:11 +0100 (CET)

I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses?  Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.

This anomalous traffic started roughly 24 hours ago, and while we've had
occasions of anomalous chinese traffic, never anything of this type.


I don't know if it's related, but at about the same time USNO reported an 
attack on their NTP servers.

I could easily imagine a piece of malware with a bug that does massive 
retransmits on both DNS and NTP.


I'm seeing DNS-based attacks on a regular basis, typically several
per day. Often involving ANY isc.org or ANY ripe.net to get a good
amplification. E.g. *right now* an amplification attack against
78.159.111.190.

Steinar Haug, Nethelp consulting, sthaug () nethelp no

Current thread:

Re: Recent DNS attacks from China?, (continued)
- - Re: Recent DNS attacks from China? Valdis . Kletnieks (Nov 30)
  - Re: Recent DNS attacks from China? Richard Barnes (Nov 30)
    - RE: Recent DNS attacks from China? Matlock, Kenneth L (Nov 30)
    - RE: Recent DNS attacks from China? Rob.Vercouteren (Nov 30)
    - RE: Recent DNS attacks from China? Drew Weaver (Nov 30)
- Re: Recent DNS attacks from China? Rob.Vercouteren (Nov 30)
  - Re: Recent DNS attacks from China? -Hammer- (Nov 30)
    - Re: Recent DNS attacks from China? David Conrad (Nov 30)
    - Re: Recent DNS attacks from China? -Hammer- (Nov 30)
- Re: Recent DNS attacks from China? Hal Murray (Nov 30)
  - Re: Recent DNS attacks from China? sthaug (Nov 30)