[180128] in North American Network Operators' Group
Re: [SECURITY] Application layer attacks/DDoS attacks
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Tue May 26 01:22:10 2015
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: "North American Network Operators' Group" <nanog@nanog.org>
Date: Tue, 26 May 2015 12:19:58 +0700
In-Reply-To: <m2vbfg9wl7.wl%randy@psg.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 26 May 2015, at 4:27, Randy Bush wrote:
> may i remind you of the dns query flood i had which you helped
> research?
> udp and tcp, from the same sources.
Yes - we determined that the TCP-based queries were a result of RRL,
which is optimized to help with spoofed reflection/amplification
attacks, but isn't intended to handle non-spoofed query-floods (hence
S/RTBH, flowspec, IDMS, et. al.) like the particular ANY query-flood
directed at your auths.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
