nanog mailing list archives
Re: DNS Attacks
From: virendra rode <virendra.rode () gmail com>
Date: Wed, 18 Jan 2012 05:57:42 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi - We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins. Tracking the source of an attack is simplified when the source is more likely to be "valid". The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen. As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service". regards, /virendra On 01/17/2012 09:04 PM, toor wrote:
Hi list, I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this: - Attacks most commonly between the hours of 4AM-4PM UTC - DNS queries appear to be for real domains that the DNS servers in question are authoritive for (I can't really see any pattern there, there are about 150,000 zones on the servers in question) - From a range of IP's there will be an attack for approximately 5-10 minutes before stopping and then a break of 30 minutes or so before another attack from a different IP range - Every IP range has been from China I have limited the number of queries that can be done to mitigate this but its messing up my pretty netflow graphs due to the spikes in flows/packets being sent. Does anyone have any ideas what the reasoning behind this could be? I would also be interested to hear from anyone else experiencing this too. I can provide IP ranges from where I am seeing the issue but it does vary a lot between the attacks with the only pattern every time being the source address is located in China. I read a thread earlier, http://seclists.org/nanog/2011/Nov/920, which sounds like the exact thing I am seeing. Thanks
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L =HsEg -----END PGP SIGNATURE-----
Current thread:
- DNS Attacks toor (Jan 17)
- Re: DNS Attacks Mark Andrews (Jan 17)
- Re: DNS Attacks Christopher Morrow (Jan 17)
- Re: DNS Attacks Leigh Porter (Jan 17)
- Re: DNS Attacks Dobbins, Roland (Jan 18)
- Re: DNS Attacks Joel jaeggli (Jan 18)
- Re: DNS Attacks Ken A (Jan 19)
- Re: DNS Attacks virendra rode (Jan 18)
- RE: DNS Attacks Drew Weaver (Jan 18)
- <Possible follow-ups>
- Re: DNS Attacks Dennis (Jan 18)
- RE: DNS Attacks Leigh Porter (Jan 18)
- Re: DNS Attacks Nick Hilliard (Jan 18)
- Re: DNS Attacks Christopher Morrow (Jan 18)
- Re: DNS Attacks Steven Bellovin (Jan 18)
- Re: DNS Attacks Christopher Morrow (Jan 18)
- Re: DNS Attacks Cameron Byrne (Jan 18)
- RE: DNS Attacks Drew Weaver (Jan 18)
- RE: DNS Attacks Leigh Porter (Jan 18)