Recent DNS attacks from China?

Joel Maslak jmaslak at antelope.net
Fri Dec 2 15:23:56 UTC 2011


Other than being non-compliant, is an "ANY" query used by any major
software?  Could someone rate limit ANY responses to mitigate this
particular issue?

On Fri, Dec 2, 2011 at 8:17 AM, Leland Vandervort <
leland at taranta.discpro.org> wrote:

> Yup.. they're all "ANY" requests.  The varying TTLs indicates that they're
> most likely spoofed.  We are also now seeing similar traffic from RFC1918
> "source" addresses trying to ingress our network (but being stopped by our
> border filters).
>
> Looks like the kiddies are playing....
>
>
> On 2 Dec 2011, at 16:02, Ryan Rawdon wrote:
>
> >
> > On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote:
> >
> >>
> >> -----Original Message-----
> >> From: Rob.Vercouteren at kpn.com [mailto:Rob.Vercouteren at kpn.com]
> >> Sent: Wednesday, November 30, 2011 3:05 PM
> >> To: MatlockK at exempla.org; richard.barnes at gmail.com;
> andrew.wallace at rocketmail.com
> >> Cc: nanog at nanog.org; leland at taranta.discpro.org
> >> Subject: RE: Recent DNS attacks from China?
> >>
> >> Yes it is, but the problem is that our servers are "attacking" the so
> called source address. All the answers are going back to the "source". It
> is huge amplification attacks. (some sort of smurf if you want) The ip
> addresses are spoofed (We did a capture and saw all different ttl's so
> coming from behind different hops) And yes we saw the ANY queries for all
> the domains.
> >>
> >> I still wonder how it is still possible that ip addresses can be
> spoofed nowadays
> >
> > We're a smaller shop and started receiving these queries last night,
> roughly 1000 queries per minute or less.  We're seeing that the source
> (victim) addresses are changing every few minutes, the TTLs vary within a
> given source address, and while most of the source/victim addresses have
> been Chinese we are seeing a few which are not, such as 74.125.90.83
> (Google).  The queries are coming in to ns1.traffiq.com (perhaps ns2
> also, I haven't checked) and are for traffiq.com/ANY which unfortunately
> gives a 492 byte response.
> >
> >
> >>
> >> =================
> >>
> >> Rob,
> >>
> >> Transit providers can bill for the denial of service traffic and they
> claim it's too expensive to run URPF because of the extra lookup.
> >>
> >> -Drew
> >>
>
>
>



More information about the NANOG mailing list