[147111] in North American Network Operators' Group
Re: Recent DNS attacks from China?
daemon@ATHENA.MIT.EDU (Leland Vandervort)
Fri Dec 2 10:19:18 2011
From: Leland Vandervort <leland@taranta.discpro.org>
In-Reply-To: <38E75725-9FD3-4468-9425-2B5B19C684C9@u13.net>
Date: Fri, 2 Dec 2011 16:17:22 +0100
To: Ryan Rawdon <ryan@u13.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
Leland Vandervort <leland@taranta.discpro.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Yup.. they're all "ANY" requests. The varying TTLs indicates that =
they're most likely spoofed. We are also now seeing similar traffic =
from RFC1918 "source" addresses trying to ingress our network (but being =
stopped by our border filters).
Looks like the kiddies are playing....=20
On 2 Dec 2011, at 16:02, Ryan Rawdon wrote:
>=20
> On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote:
>=20
>>=20
>> -----Original Message-----
>> From: Rob.Vercouteren@kpn.com [mailto:Rob.Vercouteren@kpn.com]=20
>> Sent: Wednesday, November 30, 2011 3:05 PM
>> To: MatlockK@exempla.org; richard.barnes@gmail.com; =
andrew.wallace@rocketmail.com
>> Cc: nanog@nanog.org; leland@taranta.discpro.org
>> Subject: RE: Recent DNS attacks from China?
>>=20
>> Yes it is, but the problem is that our servers are "attacking" the so =
called source address. All the answers are going back to the "source". =
It is huge amplification attacks. (some sort of smurf if you want) The =
ip addresses are spoofed (We did a capture and saw all different ttl's =
so coming from behind different hops) And yes we saw the ANY queries for =
all the domains.
>>=20
>> I still wonder how it is still possible that ip addresses can be =
spoofed nowadays
>=20
> We're a smaller shop and started receiving these queries last night, =
roughly 1000 queries per minute or less. We're seeing that the source =
(victim) addresses are changing every few minutes, the TTLs vary within =
a given source address, and while most of the source/victim addresses =
have been Chinese we are seeing a few which are not, such as =
74.125.90.83 (Google). The queries are coming in to ns1.traffiq.com =
(perhaps ns2 also, I haven't checked) and are for traffiq.com/ANY which =
unfortunately gives a 492 byte response.
>=20
>=20
>>=20
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>=20
>> Rob,
>>=20
>> Transit providers can bill for the denial of service traffic and they =
claim it's too expensive to run URPF because of the extra lookup.
>>=20
>> -Drew
>>=20
