[156823] in North American Network Operators' Group
Re: really nasty attacks
daemon@ATHENA.MIT.EDU (Stephane Bortzmeyer)
Thu Sep 27 14:28:16 2012
Date: Thu, 27 Sep 2012 20:26:04 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <0D63F120-5BAE-4887-9BBC-88781CC167F1@ianai.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Sep 27, 2012 at 12:12:50PM -0400,
Patrick W. Gilmore <patrick@ianai.net> wrote
a message of 32 lines which said:
> I do not know of any name servers that reply to queries with UDP
> packets filled with only the letter X. The DNS Headers alone
> require more than the letter "X".
Yes, you're right but I'm not sure we should take the original report
too litterally. May be he meant there were a lot of X in the packets
(and he missed the headers), which is consistent with DNS "large TXT"
attacks such as the one described in
<http://technet.microsoft.com/en-us/security/hh972393.aspx> (where the
attacker filled with consecutive numbers, not X).
Anyway, without the actual pcap file, it is only speculation.
