DNS requests from 209.67.50.203
Jared Mauch
jared at puck.Nether.net
Wed Jan 10 01:32:55 UTC 2001
On Tue, Jan 09, 2001 at 07:24:39PM -0500, Steven M. Bellovin wrote:
>
> In message <3A5BA3C3.CEAAD37D at depaul.edu>, John Kristoff writes:
> >
> >I'm surprised this hasn't come up in NANOG yet...
> >
> >On a university list many sites are reporting large amounts of traffic
> >appearing to come from 209.67.50.203 to their DNS servers. The
> >administrator of the source IP (spoofed of course) is the victim of a
> >brutal DoS attack. The traffic is UDP/DNS queries that are appear to be
> >going directly to available DNS servers (as opposed to random hosts).
> >Most sites are reporting on the order of 6 or more packets per second to
> >their DNS servers. The victim has apparently seen upwards of 90 Mb/s of
> >traffic coming back in to them. Does anyone here have anymore
> >information on this attack?
>
> Yes, it's a DDoS attack, of the type that Vern Paxson has dubbed
> "refletor attacks". You send a forged DNS query to a DNS server; it
> sends its reply to the victim. Then you have lots of hosts around the
> net doing this, but banging on different DNS servers.
A good way to reduce this is to turn off recursion for
people not on your network for your dns server. This is fairly easy
to do with bind8/bind9.
- Jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
END OF LINE | Manager of IP networks built within my own home
More information about the NANOG
mailing list