Attack on the DNS ?

sthaug at sthaug at
Sat Mar 31 15:28:17 CDT 2012

> We already have this type of attack in Bucharest/Romania since last 
> Friday. The targets where IP's of some local webhosters, but at one 
> moment we event saw IP's from Go Daddy.
> Tcpdump will show something like:
> 11:10:41.447079 IP target > open_resolver_ip.53: 80+ [1au] ANY? 
> (37)
> 11:10:41.447082 IP target > open_resolver_ip.53: 59147+ [1au] ANY? 
> (37)
> 11:10:41.447084 IP target > open_resolver_ip.53: 13885+ [1au] ANY? 
> (37)
> After one week the attack has been mostly mitigated, and the remaining 
> open resolvers are probably windows servers. Apparently in bill'g world 
> is impossible to restrict the recursion.

This is a spoofed source amplification/reflection attack, and is really
going on all the time. It has nothing to do with any possible Anonymous
attack on the root name servers.

ANY queries for and are popular ( has also been
seen), since they give a potentially large amplification factor.

Steinar Haug, Nethelp consulting, sthaug at

More information about the NANOG mailing list