[148550] in North American Network Operators' Group
RE: DNS Attacks
daemon@ATHENA.MIT.EDU (Drew Weaver)
Wed Jan 18 09:01:58 2012
From: Drew Weaver <drew.weaver@thenap.com>
To: "'virendra.rode@gmail.com'" <virendra.rode@gmail.com>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Wed, 18 Jan 2012 09:01:08 -0500
In-Reply-To: <4F16CFD6.9080106@gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We ran into a 25Gbps SNMP 'reply/amplification attack' from a cable modem n=
etwork about a month ago.
Hopefully the particular network has fixed that issue now, but it was a ban=
ner day to be sure.
Thanks,
-Drew
-----Original Message-----
From: virendra rode [mailto:virendra.rode@gmail.com]=20
Sent: Wednesday, January 18, 2012 8:58 AM
To: nanog@nanog.org
Subject: Re: DNS Attacks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi -
We've been victims of these attacks many a times and more recently towards =
our customer dns servers which was rated at ~ 4gbps for a duration of 30min=
s.
Tracking the source of an attack is simplified when the source is more like=
ly to be "valid".
The nature of these attacks for us was a combination of amplification and s=
poofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good=
idea not saying its a fix but certainly the attack methodology will signif=
icantly lessen.
As Matt Katz put it rightly so, "Distributed denial of service can only be =
solved with distributed delivery of service".
regards,
/virendra
On 01/17/2012 09:04 PM, toor wrote:
> Hi list,
>=20
> I am wondering if anyone else has seen a large amount of DNS queries=20
> coming from various IP ranges in China. I have been trying to find a=20
> pattern in the attacks but so far I have come up blank. I am completly=20
> guessing these are possibly DNS amplification attacks but I am not=20
> sure. Usually what I see is this:
>=20
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in=20
> question are authoritive for (I can't really see any pattern there,=20
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10=20
> minutes before stopping and then a break of 30 minutes or so before=20
> another attack from a different IP range
> - Every IP range has been from China
>=20
> I have limited the number of queries that can be done to mitigate this=20
> but its messing up my pretty netflow graphs due to the spikes in=20
> flows/packets being sent.
>=20
> Does anyone have any ideas what the reasoning behind this could be? I=20
> would also be interested to hear from anyone else experiencing this=20
> too.
>=20
> I can provide IP ranges from where I am seeing the issue but it does=20
> vary a lot between the attacks with the only pattern every time being=20
> the source address is located in China. I read a thread earlier,=20
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact=20
> thing I am seeing.
>=20
> Thanks
>=20
>=20
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe
vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L
=3DHsEg
-----END PGP SIGNATURE-----
