Recent DNS attacks from China?

Hal Murray hmurray at
Wed Nov 30 14:31:29 CST 2011

> I am wondering if anyone else is seeing a sudden increase in DNS attacks
> emanating from chinese IP addresses?  Over the past 24 hours we've seen a
> sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
> million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.

> This anomalous traffic started roughly 24 hours ago, and while we've had
> occasions of anomalous chinese traffic, never anything of this type.

I don't know if it's related, but at about the same time USNO reported an 
attack on their NTP servers.

I could easily imagine a piece of malware with a bug that does massive 
retransmits on both DNS and NTP.


From: Rich < at>
Newsgroups: comp.protocols.time.ntp
Subject: NTP Denial of Service attack 29 November 2011
Date: Tue, 29 Nov 2011 12:44:44 -0800 (PST)

USNO is seeing an apparent coordinated denial of service attack on NTP
originating with the following IPs:;;; 


At 11 pm EST 29 Nov 2011 the Navy Cyber Defense Operations Command
ordered USNO to take NTP servers in Washington, DC offline, and USNO
complied.   USNO serves more than 3 million clients.  This is the
first time in 17 years that we have ceased NTP operations.


NTP Service from USNO Washington was restored at 30.56 November 2011
UTC.  No further information is available for dissemination at this

These are my opinions, not necessarily my employer's.  I hate spam.

More information about the NANOG mailing list