[33402] in North American Network Operators' Group
Re: DNS requests from 209.67.50.203
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Jan 9 20:14:09 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: jtk@aharp.is-net.depaul.edu
Cc: nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 09 Jan 2001 19:24:39 -0500
Message-Id: <20010110002439.939AE35DC2@smb.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <3A5BA3C3.CEAAD37D@depaul.edu>, John Kristoff writes:
>
>I'm surprised this hasn't come up in NANOG yet...
>
>On a university list many sites are reporting large amounts of traffic
>appearing to come from 209.67.50.203 to their DNS servers. The
>administrator of the source IP (spoofed of course) is the victim of a
>brutal DoS attack. The traffic is UDP/DNS queries that are appear to be
>going directly to available DNS servers (as opposed to random hosts).
>Most sites are reporting on the order of 6 or more packets per second to
>their DNS servers. The victim has apparently seen upwards of 90 Mb/s of
>traffic coming back in to them. Does anyone here have anymore
>information on this attack?
Yes, it's a DDoS attack, of the type that Vern Paxson has dubbed
"refletor attacks". You send a forged DNS query to a DNS server; it
sends its reply to the victim. Then you have lots of hosts around the
net doing this, but banging on different DNS servers.
--Steve Bellovin
