[147019] in North American Network Operators' Group
RE: Recent DNS attacks from China?
daemon@ATHENA.MIT.EDU (Rob.Vercouteren@kpn.com)
Wed Nov 30 15:06:18 2011
From: <Rob.Vercouteren@kpn.com>
To: <MatlockK@exempla.org>, <richard.barnes@gmail.com>,
<andrew.wallace@rocketmail.com>
Date: Wed, 30 Nov 2011 21:05:18 +0100
In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C70B53079D@LMC-MAIL2.exempla.org>
Cc: nanog@nanog.org, leland@taranta.discpro.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Yes it is, but the problem is that our servers are "attacking" the so calle=
d source address. All the answers are going back to the "source". It is hug=
e amplification attacks. (some sort of smurf if you want)
The ip addresses are spoofed (We did a capture and saw all different ttl's =
so coming from behind different hops)
And yes we saw the ANY queries for all the domains.
I still wonder how it is still possible that ip addresses can be spoofed no=
wadays
Rob
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
-----Oorspronkelijk bericht-----
Van: Matlock, Kenneth L [mailto:MatlockK@exempla.org]=20
Verzonden: woensdag 30 november 2011 19:57
Aan: Richard Barnes; andrew.wallace
CC: nanog@nanog.org; Leland Vandervort
Onderwerp: RE: Recent DNS attacks from China?
Except in this case it's a DNS attack, which implies UDP based and easily s=
poofed. The source IP may or may not actually be accurate.
=20
Ken
________________________________
From: Richard Barnes [mailto:richard.barnes@gmail.com]
Sent: Wed 11/30/2011 11:51 AM
To: andrew.wallace
Cc: nanog@nanog.org; Leland Vandervort
Subject: Re: Recent DNS attacks from China?
An attack originating from somewhere indicates the presence of either
an attacker or a compromised host. A particular density of either in
a particular geographical area would seem like an interesting data
point.
--Richard
On Wed, Nov 30, 2011 at 1:24 PM, andrew.wallace
<andrew.wallace@rocketmail.com> wrote:
> Before we see knee-jerk conclusions about who to blame, these attacks cou=
ld be carried out by anyone.
>
>
> Is country even relevant in the cyberscape?
>
>
> Andrew
*** Exempla Confidentiality Notice *** The information contained in this me=
ssage may be privileged and confidential and protected from disclosure. If =
the reader of this message is not the intended recipient, or an employee or=
agent responsible for delivering this message to the intended recipient, y=
ou are hereby notified that any other dissemination, distribution or copyin=
g of this communication is strictly prohibited. If you have received this c=
ommunication in error, please notify me immediately by replying to the mess=
age and deleting it from your computer. Thank you. *** Exempla Confidential=
ity Notice ***
