really nasty attacks

Patrick W. Gilmore patrick at ianai.net
Thu Sep 27 16:12:50 UTC 2012


On Sep 27, 2012, at 11:34 , Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Thu, Sep 27, 2012 at 08:55:58AM -0600, Miguel Mata <mmata at intercom.com.sv> wrote 
> a message of 30 lines which said:
> 
>> Guys,
> 
> No gals on NANOG?

Many.  Although in fairness, some people use "guys" in a gender-neutral manner.


>> The attacks comes from various sites from the other side of the pond
>> (46.165.197.xx, 213.152.180.yy).
> 
> How can you be sure? With UDP, you have zero guarantee on the source
> IP address. (Checking the TTL can give you a hint if the packets
> really come from the same point.)
> 
> Source and destination port? If source port is 53, it may means you're
> the target of a DNS reflection+amplification attack, a la CloudFlare
> <http://blog.cloudflare.com/65gbps-ddos-no-problem>.

I do not know of any name servers that reply to queries with UDP packets filled with only the letter X.  The DNS Headers alone require more than the letter "X".

-- 
TTFN,
patrick




More information about the NANOG mailing list