[110858] in North American Network Operators' Group
Re: DNS Amplification attack?
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Jan 20 21:21:55 2009
In-Reply-To: <4976858D.3080705@visp.net>
Date: Tue, 20 Jan 2009 21:21:43 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: kgasso@visp.net
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Jan 20, 2009 at 9:16 PM, Kameron Gasso <kgasso-lists@visp.net> wrote:
> We're also seeing a great number of these, but the idiots spoofing the
> queries are hitting several non-recursive nameservers we host - and only
> generating 59-byte "REFUSED" replies.
>
> Looks like they probably just grabbed a bunch of DNS hosts out of WHOIS
> and hoped that they were recursive resolvers.
a point to bear in mind here is that... 'its working' is good enough
for the bad folks :( no need to optimize when this works. Also, it's
likely this isn't all of the problem the spoofed requestors are seeing
these past few days :(
-Chris
