really nasty attacks

Patrick W. Gilmore patrick at
Thu Sep 27 16:12:50 UTC 2012

On Sep 27, 2012, at 11:34 , Stephane Bortzmeyer <bortzmeyer at> wrote:
> On Thu, Sep 27, 2012 at 08:55:58AM -0600, Miguel Mata <mmata at> wrote 
> a message of 30 lines which said:
>> Guys,
> No gals on NANOG?

Many.  Although in fairness, some people use "guys" in a gender-neutral manner.

>> The attacks comes from various sites from the other side of the pond
>> (46.165.197.xx, 213.152.180.yy).
> How can you be sure? With UDP, you have zero guarantee on the source
> IP address. (Checking the TTL can give you a hint if the packets
> really come from the same point.)
> Source and destination port? If source port is 53, it may means you're
> the target of a DNS reflection+amplification attack, a la CloudFlare
> <>.

I do not know of any name servers that reply to queries with UDP packets filled with only the letter X.  The DNS Headers alone require more than the letter "X".


More information about the NANOG mailing list