[148546] in North American Network Operators' Group
Re: DNS Attacks
daemon@ATHENA.MIT.EDU (Joel jaeggli)
Wed Jan 18 03:36:06 2012
Date: Wed, 18 Jan 2012 00:35:07 -0800
From: Joel jaeggli <joelja@bogus.com>
To: Leigh Porter <leigh.porter@ukbroadband.com>
In-Reply-To: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/17/12 23:45 , Leigh Porter wrote:
>
>
> On 18 Jan 2012, at 05:06, "toor" <lists@1337.mx> wrote:
>
>> Hi list,
>>
>> I am wondering if anyone else has seen a large amount of DNS
>> queries coming from various IP ranges in China. I have been trying
>> to find a pattern in the attacks but so far I have come up blank. I
>> am completly guessing these are possibly DNS amplification attacks
>> but I am not sure. Usually what I see is this:
>>
>
> At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).
Given the the pps rate and the cps rate of DNS requests are rather
similar one expects the value of inspecting unsolicited queries to your
nameserver to be rather low.
> It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS,
> a web server and an open SSH port.
>