Recent DNS attacks from China?
Hal Murray
hmurray at megapathdsl.net
Wed Nov 30 20:31:29 UTC 2011
> I am wondering if anyone else is seeing a sudden increase in DNS attacks
> emanating from chinese IP addresses? Over the past 24 hours we've seen a
> sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
> million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
> This anomalous traffic started roughly 24 hours ago, and while we've had
> occasions of anomalous chinese traffic, never anything of this type.
I don't know if it's related, but at about the same time USNO reported an
attack on their NTP servers.
I could easily imagine a piece of malware with a bug that does massive
retransmits on both DNS and NTP.
-----------
From: Rich <schmidt.rich at gmail.com>
Newsgroups: comp.protocols.time.ntp
Subject: NTP Denial of Service attack 29 November 2011
Date: Tue, 29 Nov 2011 12:44:44 -0800 (PST)
Organization: http://groups.google.com
NNTP-Posting-Host: 199.211.133.254
USNO is seeing an apparent coordinated denial of service attack on NTP
originating with the following IPs:
220.117.53.67; 218.92.115.152; 114.40.28.224; 218.201.21.194.
----------
At 11 pm EST 29 Nov 2011 the Navy Cyber Defense Operations Command
ordered USNO to take NTP servers in Washington, DC offline, and USNO
complied. USNO serves more than 3 million clients. This is the
first time in 17 years that we have ceased NTP operations.
----
NTP Service from USNO Washington was restored at 30.56 November 2011
UTC. No further information is available for dissemination at this
time.
--
These are my opinions, not necessarily my employer's. I hate spam.
More information about the NANOG
mailing list