Tracking the DNS amplification attacks (was: isprime DOS in progress)

Crist Clark Crist.Clark at globalstar.com
Fri Jan 30 23:04:20 UTC 2009


>>> On 1/24/2009 at 4:50 PM, Brian Keefer <chort at smtps.net> wrote:
> Caveat:  my PERL is _terrible_.
> 
> http://www.smtps.net/pub/dns-amp-watch.pl 
> 
> This assumes you're using BIND.  My logs roll on the hour, so I run it  
> from cron at 1 minute before the hour.  Depending on how long it takes  
> to process your logs, you might need to tweak.

FWIW, I find it easier to track this using tcpdump. I don't like
running BIND with query logging. Here's a filter that catches these,

  port 53 && (udp[10:4] == 0x01000001) && (udp[20:2] == 0x0000)

How it works is left as an exercise for the reader.

When I sniff the link to a server authorative for several domains,

  17:29:55.792127 IP 72.249.127.168.3966 > 206.220.220.100.53: 18501+ NS? . (17)
  17:29:57.116367 IP 69.64.87.156.58419 > 206.220.220.100.53: 62419+ NS? . (17)
  17:29:57.804987 IP 72.249.127.168.33108 > 206.220.220.100.53: 4637+ NS? . (17)
  17:29:58.959680 IP 72.20.3.82.23084 > 206.220.220.100.53: 14310+ NS? . (17)
  17:29:59.818994 IP 72.249.127.168.60876 > 206.220.220.100.53: 22791+ NS? . (17)
  17:30:01.622728 IP 69.64.87.156.30151 > 206.220.220.100.53: 13557+ NS? . (17)
  17:30:01.628899 IP 72.20.3.82.49015 > 206.220.220.100.53: 14250+ NS? . (17)
  17:30:01.821214 IP 72.249.127.168.13831 > 206.220.220.100.53: 51065+ NS? . (17)
  17:30:03.342856 IP 69.64.87.156.1926 > 206.220.220.100.53: 38768+ NS? . (17)
  17:30:03.818706 IP 72.249.127.168.33663 > 206.220.220.100.53: 12720+ NS? . (17)
  17:30:05.186647 IP 72.20.3.82.7649 > 206.220.220.100.53: 52079+ NS? . (17)
  17:30:05.815718 IP 72.249.127.168.37241 > 206.220.220.100.53: 345+ NS? . (17)
  17:30:07.816144 IP 72.249.127.168.23784 > 206.220.220.100.53: 56874+ NS? . (17)
  17:30:07.849503 IP 69.64.87.156.33190 > 206.220.220.100.53: 20113+ NS? . (17)








More information about the NANOG mailing list