Attack on the DNS ?
Adrian Minta
adrian.minta at gmail.com
Sat Mar 31 18:26:25 UTC 2012
We already have this type of attack in Bucharest/Romania since last
Friday. The targets where IP's of some local webhosters, but at one
moment we event saw IP's from Go Daddy.
Tcpdump will show something like:
11:10:41.447079 IP target > open_resolver_ip.53: 80+ [1au] ANY? isc.org.
(37)
11:10:41.447082 IP target > open_resolver_ip.53: 59147+ [1au] ANY?
isc.org. (37)
11:10:41.447084 IP target > open_resolver_ip.53: 13885+ [1au] ANY?
isc.org. (37)
After one week the attack has been mostly mitigated, and the remaining
open resolvers are probably windows servers. Apparently in bill'g world
is impossible to restrict the recursion.
More information about the NANOG
mailing list