DNS requests from 209.67.50.203

Steven M. Bellovin smb at research.att.com
Wed Jan 10 00:24:39 UTC 2001


In message <3A5BA3C3.CEAAD37D at depaul.edu>, John Kristoff writes:
>
>I'm surprised this hasn't come up in NANOG yet...
>
>On a university list many sites are reporting large amounts of traffic
>appearing to come from 209.67.50.203 to their DNS servers.  The
>administrator of the source IP (spoofed of course) is the victim of a
>brutal DoS attack.  The traffic is UDP/DNS queries that are appear to be
>going directly to available DNS servers (as opposed to random hosts). 
>Most sites are reporting on the order of 6 or more packets per second to
>their DNS servers.  The victim has apparently seen upwards of 90 Mb/s of
>traffic coming back in to them.  Does anyone here have anymore
>information on this attack?

Yes, it's a DDoS attack, of the type that Vern Paxson has dubbed 
"refletor attacks".  You send a forged DNS query to a DNS server; it 
sends its reply to the victim.  Then you have lots of hosts around the 
net doing this, but banging on different DNS servers.



		--Steve Bellovin






More information about the NANOG mailing list