DNS Flood

Vui Le vuile at laihwa.es.net
Thu Aug 12 21:11:51 UTC 1999


Hi Jamie,

We are seeing it as well (same spoofed addresses). In our case, we
tracked it to NAPNET @ AADS-NAP. Folks from NAPNET are looking
at it but we have not heard back from them.

- Vui

> Are there any other ISP's who are experiencing DNS floods, specifically I am
> looking for traffic destined for (or coming from) the following IPs
> 
> >>> 199.108.32.203
> >>> 216.15.178.201
> >>> 129.180.11.17
> >>> 216.41.23.68
> >>> 208.235.124.20
> >>> 203.251.77.1
> 
> It appears someone is running a script that is using these nameservers, as
> well as the name servers of other educational facilities, to do a lookup on
> mulitple servers in the amplitude of 3-4 a second.  This activity has been
> happening for the past 3 weeks, we have null routed this traffic on our
> backbone, but it still shows up in Cache flow.
> 
> This traffic actually saturated our customer's pipe as well as increased the
> load on our backbone router.
> 
> If anyone has seen anything at all like that, (specifically people from
> UU.net or AT&T Worldnet) please lets band together and find the person doing
> this.
> 
> Thanks
> Jamie D.    | noc at cerf.net
> AT&T CERFnet| Network Analyst
> 1-888-237-3638 opt 2 opt 2

========================================================================
Vui Q. Le                                      Phone: (510) 495-2204
Energy Sciences Network (ESnet)                Fax  : (510) 486-6712
Network Engineering Services Group             Email: vuile at es.net
Lawrence Berkeley National Laboratory          URL  : http://www.es.net/
========================================================================




More information about the NANOG mailing list