[110862] in North American Network Operators' Group
Re: DNS Amplification attack?
daemon@ATHENA.MIT.EDU (jay@miscreant.org)
Tue Jan 20 22:09:29 2009
Date: Wed, 21 Jan 2009 14:08:25 +1100
From: jay@miscreant.org
To: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Tue, Jan 20, 2009 at 9:16 PM, Kameron Gasso <kgasso-lists@visp.net> wro=
te:
> We're also seeing a great number of these, but the idiots spoofing the
> queries are hitting several non-recursive nameservers we host - and only
> generating 59-byte "REFUSED" replies.
>
> Looks like they probably just grabbed a bunch of DNS hosts out of WHOIS
> and hoped that they were recursive resolvers.
First post to this list, play nice :)
Are you sure about this? I'm seeing these requests on /every/ =20
(unrelated) NS I have access to, which numbers several dozen, in =20
various countries across the world, and from various registries (.net, =20
.org, .com.au). The spread of servers I've checked is so random that =20
I'm wondering just how many NS records they've laid their hands on.
I've also noticed that on a server running BIND 9.3.4-P1 with =20
recursion disabled, they're still appear to be getting the list of =20
root NS's from cache, which is a 272-byte response to a 61-byte =20
request, which by my definition is an amplification.
Cheers,
Jay
