[33405] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: DNS requests from 209.67.50.203

daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Jan 9 20:50:16 2001

Date: Tue, 9 Jan 2001 20:32:55 -0500
From: Jared Mauch <jared@puck.Nether.net>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: jtk@aharp.is-net.depaul.edu, nanog@merit.edu
Message-ID: <20010109203255.C8687@puck.nether.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010110002439.939AE35DC2@smb.research.att.com>; from smb@research.att.com on Tue, Jan 09, 2001 at 07:24:39PM -0500
Errors-To: owner-nanog-outgoing@merit.edu


On Tue, Jan 09, 2001 at 07:24:39PM -0500, Steven M. Bellovin wrote:
> 
> In message <3A5BA3C3.CEAAD37D@depaul.edu>, John Kristoff writes:
> >
> >I'm surprised this hasn't come up in NANOG yet...
> >
> >On a university list many sites are reporting large amounts of traffic
> >appearing to come from 209.67.50.203 to their DNS servers.  The
> >administrator of the source IP (spoofed of course) is the victim of a
> >brutal DoS attack.  The traffic is UDP/DNS queries that are appear to be
> >going directly to available DNS servers (as opposed to random hosts). 
> >Most sites are reporting on the order of 6 or more packets per second to
> >their DNS servers.  The victim has apparently seen upwards of 90 Mb/s of
> >traffic coming back in to them.  Does anyone here have anymore
> >information on this attack?
> 
> Yes, it's a DDoS attack, of the type that Vern Paxson has dubbed 
> "refletor attacks".  You send a forged DNS query to a DNS server; it 
> sends its reply to the victim.  Then you have lots of hosts around the 
> net doing this, but banging on different DNS servers.

	A good way to reduce this is to turn off recursion for
people not on your network for your dns server.  This is fairly easy
to do with bind8/bind9.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
END OF LINE  | Manager of IP networks built within my own home
home help back first fref pref prev next nref lref last post