[148539] in North American Network Operators' Group
Re: DNS Attacks
daemon@ATHENA.MIT.EDU (Mark Andrews)
Wed Jan 18 00:16:21 2012
To: toor <lists@1337.mx>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Wed, 18 Jan 2012 13:04:54 +0800."
<CALjCmpma-gXUerPUfeAWtgZn4qtVkxJTaEFL3D9Gc0OTvS96oQ@mail.gmail.com>
Date: Wed, 18 Jan 2012 16:15:19 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <CALjCmpma-gXUerPUfeAWtgZn4qtVkxJTaEFL3D9Gc0OTvS96oQ@mail.gmail.com>,
toor writes:
> Hi list,
>
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range
> - Every IP range has been from China
>
> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.
>
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
>
> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
>
> Thanks
Most of the time you will be being used as a amplifier and the
source traffic is spoofed. The short periods are so that it is
harder to trace the compromised machines.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
