Recent DNS attacks from China?

Hal Murray hmurray at megapathdsl.net
Wed Nov 30 14:31:29 CST 2011


> I am wondering if anyone else is seeing a sudden increase in DNS attacks
> emanating from chinese IP addresses?  Over the past 24 hours we've seen a
> sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
> million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.

> This anomalous traffic started roughly 24 hours ago, and while we've had
> occasions of anomalous chinese traffic, never anything of this type.

I don't know if it's related, but at about the same time USNO reported an 
attack on their NTP servers.

I could easily imagine a piece of malware with a bug that does massive 
retransmits on both DNS and NTP.

-----------

From: Rich <schmidt.rich at gmail.com>
Newsgroups: comp.protocols.time.ntp
Subject: NTP Denial of Service attack 29 November 2011
Date: Tue, 29 Nov 2011 12:44:44 -0800 (PST)
Organization: http://groups.google.com
NNTP-Posting-Host: 199.211.133.254

USNO is seeing an apparent coordinated denial of service attack on NTP
originating with the following IPs:
220.117.53.67; 218.92.115.152; 114.40.28.224; 218.201.21.194. 

----------

At 11 pm EST 29 Nov 2011 the Navy Cyber Defense Operations Command
ordered USNO to take NTP servers in Washington, DC offline, and USNO
complied.   USNO serves more than 3 million clients.  This is the
first time in 17 years that we have ceased NTP operations.

----

NTP Service from USNO Washington was restored at 30.56 November 2011
UTC.  No further information is available for dissemination at this
time.


-- 
These are my opinions, not necessarily my employer's.  I hate spam.






More information about the NANOG mailing list