DNS Attacks
Drew Weaver
drew.weaver at thenap.com
Wed Jan 18 14:01:08 UTC 2012
We ran into a 25Gbps SNMP 'reply/amplification attack' from a cable modem network about a month ago.
Hopefully the particular network has fixed that issue now, but it was a banner day to be sure.
Thanks,
-Drew
-----Original Message-----
From: virendra rode [mailto:virendra.rode at gmail.com]
Sent: Wednesday, January 18, 2012 8:58 AM
To: nanog at nanog.org
Subject: Re: DNS Attacks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi -
We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins.
Tracking the source of an attack is simplified when the source is more likely to be "valid".
The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen.
As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service".
regards,
/virendra
On 01/17/2012 09:04 PM, toor wrote:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range
> - Every IP range has been from China
>
> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.
>
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
>
> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
>
> Thanks
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe
vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L
=HsEg
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list