[156818] in North American Network Operators' Group
Re: really nasty attacks
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Thu Sep 27 12:13:37 2012
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <20120927153408.GA11650@nic.fr>
Date: Thu, 27 Sep 2012 12:12:50 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 27, 2012, at 11:34 , Stephane Bortzmeyer <bortzmeyer@nic.fr> =
wrote:
> On Thu, Sep 27, 2012 at 08:55:58AM -0600, Miguel Mata =
<mmata@intercom.com.sv> wrote=20
> a message of 30 lines which said:
>=20
>> Guys,
>=20
> No gals on NANOG?
Many. Although in fairness, some people use "guys" in a gender-neutral =
manner.
>> The attacks comes from various sites from the other side of the pond
>> (46.165.197.xx, 213.152.180.yy).
>=20
> How can you be sure? With UDP, you have zero guarantee on the source
> IP address. (Checking the TTL can give you a hint if the packets
> really come from the same point.)
>=20
> Source and destination port? If source port is 53, it may means you're
> the target of a DNS reflection+amplification attack, a la CloudFlare
> <http://blog.cloudflare.com/65gbps-ddos-no-problem>.
I do not know of any name servers that reply to queries with UDP packets =
filled with only the letter X. The DNS Headers alone require more than =
the letter "X".
--=20
TTFN,
patrick
