[33425] in North American Network Operators' Group
Re: DNS requests from 209.67.50.203
daemon@ATHENA.MIT.EDU (Kevin Houle)
Wed Jan 10 09:38:28 2001
Message-ID: <3A5C736B.27D6CBD9@cert.org>
Date: Wed, 10 Jan 2001 09:36:27 -0500
From: Kevin Houle <kjh@cert.org>
MIME-Version: 1.0
To: jtk@aharp.is-net.depaul.edu
Cc: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
John Kristoff wrote:
>
> On a university list many sites are reporting large amounts of traffic
> appearing to come from 209.67.50.203 to their DNS servers. The
> administrator of the source IP (spoofed of course) is the victim of a
> brutal DoS attack. The traffic is UDP/DNS queries that are appear to be
> going directly to available DNS servers (as opposed to random hosts).
> Most sites are reporting on the order of 6 or more packets per second to
> their DNS servers. The victim has apparently seen upwards of 90 Mb/s of
> traffic coming back in to them. Does anyone here have anymore
> information on this attack?
In general, this attack method is known. There is some information
about it documented at:
Denial of Service Attacks Using Nameservers
http://www.cert.org/incident_notes/IN-2000-04.html
Regards,
Kevin
