[110857] in North American Network Operators' Group
Re: DNS Amplification attack?
daemon@ATHENA.MIT.EDU (Kameron Gasso)
Tue Jan 20 21:17:05 2009
Date: Tue, 20 Jan 2009 18:16:45 -0800
From: Kameron Gasso <kgasso-lists@visp.net>
To: Wil Schultz <wschultz@bsdboy.com>
In-Reply-To: <86A39458-2A2B-45D7-8968-811AAFF422A8@bsdboy.com>
Cc: NANOG list <nanog@nanog.org>
Reply-To: kgasso@visp.net
Errors-To: nanog-bounces@nanog.org
Wil Schultz wrote:
> Anyone else noticing "." requests coming in to your DNS servers?
>
> http://isc.sans.org/diary.html?storyid=5713
>
> I'm seeing them coming from the following addresses in my ns server logs.
>
> 69.50.142.110
> 69.50.142.11
> 76.9.16.171
> 66.230.128.15
> 66.230.160.1
We're also seeing a great number of these, but the idiots spoofing the
queries are hitting several non-recursive nameservers we host - and only
generating 59-byte "REFUSED" replies.
Looks like they probably just grabbed a bunch of DNS hosts out of WHOIS
and hoped that they were recursive resolvers.
--
Kameron Gasso | Senior Systems Administrator | visp.net
Direct: 541-955-6903 | Fax: 541-471-0821
