Attack on the DNS ?

Adrian Minta adrian.minta at gmail.com
Sat Mar 31 18:26:25 UTC 2012


We already have this type of attack in Bucharest/Romania since last 
Friday. The targets where IP's of some local webhosters, but at one 
moment we event saw IP's from Go Daddy.
Tcpdump will show something like:
11:10:41.447079 IP target > open_resolver_ip.53: 80+ [1au] ANY? isc.org. 
(37)
11:10:41.447082 IP target > open_resolver_ip.53: 59147+ [1au] ANY? 
isc.org. (37)
11:10:41.447084 IP target > open_resolver_ip.53: 13885+ [1au] ANY? 
isc.org. (37)

After one week the attack has been mostly mitigated, and the remaining 
open resolvers are probably windows servers. Apparently in bill'g world 
is impossible to restrict the recursion.





More information about the NANOG mailing list