[147027] in North American Network Operators' Group
Re: Recent DNS attacks from China?
daemon@ATHENA.MIT.EDU (sthaug@nethelp.no)
Wed Nov 30 15:46:11 2011
Date: Wed, 30 Nov 2011 21:45:11 +0100 (CET)
To: hmurray@megapathdsl.net
From: sthaug@nethelp.no
In-Reply-To: <20111130203129.63046800037@ip-64-139-1-69.sjc.megapath.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> > I am wondering if anyone else is seeing a sudden increase in DNS attacks
> > emanating from chinese IP addresses? Over the past 24 hours we've seen a
> > sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
> > million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
>
> > This anomalous traffic started roughly 24 hours ago, and while we've had
> > occasions of anomalous chinese traffic, never anything of this type.
>
> I don't know if it's related, but at about the same time USNO reported an
> attack on their NTP servers.
>
> I could easily imagine a piece of malware with a bug that does massive
> retransmits on both DNS and NTP.
I'm seeing DNS-based attacks on a regular basis, typically several
per day. Often involving ANY isc.org or ANY ripe.net to get a good
amplification. E.g. *right now* an amplification attack against
78.159.111.190.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
