[147109] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Recent DNS attacks from China?

daemon@ATHENA.MIT.EDU (Ryan Rawdon)
Fri Dec 2 10:03:55 2011

From: Ryan Rawdon <ryan@u13.net>
In-Reply-To: <F3318834F1F89D46857972DD4B411D7005274280E8@exchange>
Date: Fri, 2 Dec 2011 10:02:56 -0500
To: Drew Weaver <drew.weaver@thenap.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
 "leland@taranta.discpro.org" <leland@taranta.discpro.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org


On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote:

>=20
> -----Original Message-----
> From: Rob.Vercouteren@kpn.com [mailto:Rob.Vercouteren@kpn.com]=20
> Sent: Wednesday, November 30, 2011 3:05 PM
> To: MatlockK@exempla.org; richard.barnes@gmail.com; =
andrew.wallace@rocketmail.com
> Cc: nanog@nanog.org; leland@taranta.discpro.org
> Subject: RE: Recent DNS attacks from China?
>=20
> Yes it is, but the problem is that our servers are "attacking" the so =
called source address. All the answers are going back to the "source". =
It is huge amplification attacks. (some sort of smurf if you want) The =
ip addresses are spoofed (We did a capture and saw all different ttl's =
so coming from behind different hops) And yes we saw the ANY queries for =
all the domains.
>=20
> I still wonder how it is still possible that ip addresses can be =
spoofed nowadays

We're a smaller shop and started receiving these queries last night, =
roughly 1000 queries per minute or less.  We're seeing that the source =
(victim) addresses are changing every few minutes, the TTLs vary within =
a given source address, and while most of the source/victim addresses =
have been Chinese we are seeing a few which are not, such as =
74.125.90.83 (Google).  The queries are coming in to ns1.traffiq.com =
(perhaps ns2 also, I haven't checked) and are for traffiq.com/ANY which =
unfortunately gives a 492 byte response.


>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> Rob,
>=20
> Transit providers can bill for the denial of service traffic and they =
claim it's too expensive to run URPF because of the extra lookup.
>=20
> -Drew
>=20
home help back first fref pref prev next nref lref last post