DNS Attacks

Leigh Porter leigh.porter at ukbroadband.com
Wed Jan 18 08:18:32 CST 2012


Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-)

--
Leigh Porter


> -----Original Message-----
> From: Dennis [mailto:dennis at justipit.com]
> Sent: 18 January 2012 12:55
> To: Leigh Porter; toor
> Cc: nanog at nanog.org
> Subject: Re: DNS Attacks
> 
> I agree with Roland on the firewall placement.  I add that the attack
> would have likely succeeded to exhaust the servers.  There is alot of
> recent ddos activity on DNS with what looks like legitimate queries.
> You should also look at some DOS/ application level protections;
> Radware and Arbor top the list.
> 
> 
> Leigh Porter <leigh.porter at ukbroadband.com> wrote:
> 
> >
> >
> >On 18 Jan 2012, at 05:06, "toor" <lists at 1337.mx> wrote:
> >
> >> Hi list,
> >>
> >> I am wondering if anyone else has seen a large amount of DNS queries
> >> coming from various IP ranges in China. I have been trying to find a
> >> pattern in the attacks but so far I have come up blank. I am
> completly
> >> guessing these are possibly DNS amplification attacks but I am not
> >> sure. Usually what I see is this:
> >>
> >
> >At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).
> >
> >It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS, a
> web server and an open SSH port.
> >
> >--
> >Leigh Porter
> >
> >
> >______________________________________________________________________
> >This email has been scanned by the Symantec Email Security.cloud
> service.
> >For more information please visit http://www.symanteccloud.com
> >______________________________________________________________________
> >
> >
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


More information about the NANOG mailing list