[24830] in North American Network Operators' Group
Re: DNS Flood
daemon@ATHENA.MIT.EDU (Vui Le)
Thu Aug 12 17:13:09 1999
To: "Jamie D." <jamie@cerf.net>
Cc: "Nanog" <Nanog@merit.edu>
In-reply-to: Your message of "Thu, 12 Aug 1999 12:19:31 PDT."
<003001bee4f7$9a916ef0$f8e9cfc0@hq.sd.cerf.net>
Date: Thu, 12 Aug 1999 14:11:51 -0700
From: Vui Le <vuile@laihwa.es.net>
Errors-To: owner-nanog-outgoing@merit.edu
Hi Jamie,
We are seeing it as well (same spoofed addresses). In our case, we
tracked it to NAPNET @ AADS-NAP. Folks from NAPNET are looking
at it but we have not heard back from them.
- Vui
> Are there any other ISP's who are experiencing DNS floods, specifically I am
> looking for traffic destined for (or coming from) the following IPs
>
> >>> 199.108.32.203
> >>> 216.15.178.201
> >>> 129.180.11.17
> >>> 216.41.23.68
> >>> 208.235.124.20
> >>> 203.251.77.1
>
> It appears someone is running a script that is using these nameservers, as
> well as the name servers of other educational facilities, to do a lookup on
> mulitple servers in the amplitude of 3-4 a second. This activity has been
> happening for the past 3 weeks, we have null routed this traffic on our
> backbone, but it still shows up in Cache flow.
>
> This traffic actually saturated our customer's pipe as well as increased the
> load on our backbone router.
>
> If anyone has seen anything at all like that, (specifically people from
> UU.net or AT&T Worldnet) please lets band together and find the person doing
> this.
>
> Thanks
> Jamie D. | noc@cerf.net
> AT&T CERFnet| Network Analyst
> 1-888-237-3638 opt 2 opt 2
========================================================================
Vui Q. Le Phone: (510) 495-2204
Energy Sciences Network (ESnet) Fax : (510) 486-6712
Network Engineering Services Group Email: vuile@es.net
Lawrence Berkeley National Laboratory URL : http://www.es.net/
========================================================================
