[151833] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Attack on the DNS ?

daemon@ATHENA.MIT.EDU (Adrian Minta)
Sat Mar 31 14:26:59 2012

Date: Sat, 31 Mar 2012 21:26:25 +0300
From: Adrian Minta <adrian.minta@gmail.com>
To: nanog@nanog.org
In-Reply-To: <CAJNg7V+6JWwhvVfbrpXvx_Ex-o1vHfSpmHksBA+2mUrPFELvJA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

We already have this type of attack in Bucharest/Romania since last 
Friday. The targets where IP's of some local webhosters, but at one 
moment we event saw IP's from Go Daddy.
Tcpdump will show something like:
11:10:41.447079 IP target > open_resolver_ip.53: 80+ [1au] ANY? isc.org. 
(37)
11:10:41.447082 IP target > open_resolver_ip.53: 59147+ [1au] ANY? 
isc.org. (37)
11:10:41.447084 IP target > open_resolver_ip.53: 13885+ [1au] ANY? 
isc.org. (37)

After one week the attack has been mostly mitigated, and the remaining 
open resolvers are probably windows servers. Apparently in bill'g world 
is impossible to restrict the recursion.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[151833] in North American Network Operators' Group

Re: Attack on the DNS ?

daemon@ATHENA.MIT.EDU (Adrian Minta)Sat Mar 31 14:26:59 2012

daemon@ATHENA.MIT.EDU (Adrian Minta)
Sat Mar 31 14:26:59 2012