[169226] in North American Network Operators' Group
Re: random dns queries with random sources
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Feb 19 01:03:28 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <530445A4.7090808@ttec.com>
Date: Tue, 18 Feb 2014 21:56:03 -0800
To: Joe Maimon <jmaimon@ttec.com>
Cc: North American Networking and Offtopic Gripes List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 18, 2014, at 9:48 PM, Joe Maimon <jmaimon@ttec.com> wrote:
>=20
>=20
> George Herbert wrote:
>> Right. Nonzero chances that you (Joe's site) are the target...
>>=20
>> Also, check if you have egress filtering of spoofed addresses below =
these
>> DNS resources, between them and any user objects. You could be =
sourcing
>> the spoofing if not...
>=20
> It seems to me that the same|similar dataset of open resolvers to be =
used for amplification attacks is also being used for this sort of =
thing, and the overall effect is not large enough to indicate my =
resources are a target.
>=20
> What I cant figure out is what is the target and how this attack =
method is any more effective then the others.
>=20
> Joe
This assumes several facts not in evidence:
1. It is an attack.
2. It is deliberate
3. There is a target
4. It is more effective than others
On what do you base those assumptions? To me this looks to be far more =
likely to be someone=92s wayward script, experiment, software, tool, =
etc. doing something it probably isn=92t supposed to be doing.
If it happens to also be gathering the answers or information that the =
author wants (or appears to be doing so), then the author may well be =
blissfully ignorant of its wayward behavior towards your servers.
Owen
