Re: DDoS attack

[Töma Gavrichenkov <ximaera () gmail com>]

Peace,

On Mon, Dec 9, 2019 at 11:35 PM Florian Brandstetter via NANOG
<nanog () nanog org> wrote:
> if that was to be amplification, the source addresses
> would not be within Google or CloudFlare ranges
> (especially not CloudFlare, as they are not running
> a vulnerable recursor

Well, vulnerable — arguably of course, amplifying — yes, a few, around
twenty.  Not sure if they have any kind of rate limiting there (also
not sure if it's legal for me to check it), expecially given that the
queries could come from spoofed sources.  Anyway, in theory, their
sources *could* be present in a DDoS (though not likely).

12:11:23.726699 IP (tos 0x0, ttl 64, id 9173, offset 0, flags [none],
proto UDP (17), length 60)
    $IP.60801 > 172.65.253.110.53: 45631+ [1au] ANY? com. (32)
12:11:23.733976 IP (tos 0x0, ttl 60, id 30234, offset 0, flags [+],
proto UDP (17), length 1500)
    172.65.253.110.53 > $IP.60801: 45631$ 22/0/1 com. SOA
a.gtld-servers.net. nstld.verisign-grs.com. 1576020207 1800 900 604800
86400, com. RRSIG, com. NS a.gtld-servers.net., com. NS
b.gtld-servers.net., com. NS c.gtld-servers.net., com. NS
e.gtld-servers.net., com. NS i.gtld-servers.net., com. NS
j.gtld-servers.net., com. NS g.gtld-servers.net., com. NS
f.gtld-servers.net., com. NS l.gtld-servers.net., com. NS
d.gtld-servers.net., com. NS k.gtld-servers.net., com. NS
h.gtld-servers.net., com. NS m.gtld-servers.net., com. RRSIG, com.
DNSKEY, com. DNSKEY, com. DNSKEY, com. RRSIG[|domain]

--
Töma