[148544] in North American Network Operators' Group
Re: DNS Attacks
daemon@ATHENA.MIT.EDU (Leigh Porter)
Wed Jan 18 02:44:25 2012
From: Leigh Porter <leigh.porter@ukbroadband.com>
To: toor <lists@1337.mx>
Date: Wed, 18 Jan 2012 07:45:22 +0000
In-Reply-To: <CALjCmpma-gXUerPUfeAWtgZn4qtVkxJTaEFL3D9Gc0OTvS96oQ@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 18 Jan 2012, at 05:06, "toor" <lists@1337.mx> wrote:
> Hi list,
>=20
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
>=20
At various seemingly random times over the past week I have had a DNS whic=
h is behind a firewall come under attack. The firewall is significant beca=
use the attacks killed the firewall as it is rather under specified (not m=
y idea..).
It did originate from Chinese address space and consisted of DNS queries f=
or lots of hosts. There was also a port-scan in the traffic and a SYN atta=
ck on a few hosts on the same small subnet as the DNS, a web server and an=
open SSH port.
--=20
Leigh Porter
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
