[147020] in North American Network Operators' Group
RE: Recent DNS attacks from China?
daemon@ATHENA.MIT.EDU (Drew Weaver)
Wed Nov 30 15:13:13 2011
From: Drew Weaver <drew.weaver@thenap.com>
To: "'Rob.Vercouteren@kpn.com'" <Rob.Vercouteren@kpn.com>,
"MatlockK@exempla.org" <MatlockK@exempla.org>, "richard.barnes@gmail.com"
<richard.barnes@gmail.com>, "andrew.wallace@rocketmail.com"
<andrew.wallace@rocketmail.com>
Date: Wed, 30 Nov 2011 15:12:09 -0500
In-Reply-To: <3454EA54E9F18A4993A4B99F07A01D9D014D53F62FC5@W2055.kpnnl.local>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
"leland@taranta.discpro.org" <leland@taranta.discpro.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
-----Original Message-----
From: Rob.Vercouteren@kpn.com [mailto:Rob.Vercouteren@kpn.com]=20
Sent: Wednesday, November 30, 2011 3:05 PM
To: MatlockK@exempla.org; richard.barnes@gmail.com; andrew.wallace@rocketma=
il.com
Cc: nanog@nanog.org; leland@taranta.discpro.org
Subject: RE: Recent DNS attacks from China?
Yes it is, but the problem is that our servers are "attacking" the so calle=
d source address. All the answers are going back to the "source". It is hug=
e amplification attacks. (some sort of smurf if you want) The ip addresses =
are spoofed (We did a capture and saw all different ttl's so coming from be=
hind different hops) And yes we saw the ANY queries for all the domains.
I still wonder how it is still possible that ip addresses can be spoofed no=
wadays
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Rob,
Transit providers can bill for the denial of service traffic and they claim=
it's too expensive to run URPF because of the extra lookup.
-Drew
