DDoS attack

Töma Gavrichenkov ximaera at gmail.com
Tue Dec 10 23:32:20 UTC 2019


Peace,

On Mon, Dec 9, 2019 at 11:35 PM Florian Brandstetter via NANOG
<nanog at nanog.org> wrote:
> if that was to be amplification, the source addresses
> would not be within Google or CloudFlare ranges
> (especially not CloudFlare, as they are not running
> a vulnerable recursor

Well, vulnerable — arguably of course, amplifying — yes, a few, around
twenty.  Not sure if they have any kind of rate limiting there (also
not sure if it's legal for me to check it), expecially given that the
queries could come from spoofed sources.  Anyway, in theory, their
sources *could* be present in a DDoS (though not likely).

12:11:23.726699 IP (tos 0x0, ttl 64, id 9173, offset 0, flags [none],
proto UDP (17), length 60)
    $IP.60801 > 172.65.253.110.53: 45631+ [1au] ANY? com. (32)
12:11:23.733976 IP (tos 0x0, ttl 60, id 30234, offset 0, flags [+],
proto UDP (17), length 1500)
    172.65.253.110.53 > $IP.60801: 45631$ 22/0/1 com. SOA
a.gtld-servers.net. nstld.verisign-grs.com. 1576020207 1800 900 604800
86400, com. RRSIG, com. NS a.gtld-servers.net., com. NS
b.gtld-servers.net., com. NS c.gtld-servers.net., com. NS
e.gtld-servers.net., com. NS i.gtld-servers.net., com. NS
j.gtld-servers.net., com. NS g.gtld-servers.net., com. NS
f.gtld-servers.net., com. NS l.gtld-servers.net., com. NS
d.gtld-servers.net., com. NS k.gtld-servers.net., com. NS
h.gtld-servers.net., com. NS m.gtld-servers.net., com. RRSIG, com.
DNSKEY, com. DNSKEY, com. DNSKEY, com. RRSIG[|domain]

--
Töma



More information about the NANOG mailing list