[57072] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: DNS dDos Attack!

daemon@ATHENA.MIT.EDU (Kevin Houle)
Fri Mar 28 09:57:13 2003

Date: Fri, 28 Mar 2003 09:52:40 -0500
From: Kevin Houle <kjh@cert.org>
To: Dan Armstrong <dan@beanfield.com>, nanog@merit.edu
In-Reply-To: <3E845C20.67EDEB9A@beanfield.com>
Errors-To: owner-nanog-outgoing@merit.edu

--On Friday, March 28, 2003 09:28:48 AM -0500 Dan Armstrong 
<dan@beanfield.com> wrote:

> Sorry, I lied.  We are running 8.34Release
>
> What I cannot figure out is why *our* name server is sending out ICMP
> unreachables.  The incoming dns queries are coming from random
> destinations....

Are you sure the inbound attack packets are really valid queries, or are
they responses? I ask because in the classic DDoS-via-nameservers attack,
the victim will receive answers from a slew of other nameservers and send
out ICMP unreachables. See

  http://www.cert.org/incident_notes/IN-2000-04.html

Kevin


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[57072] in North American Network Operators' Group

Re: DNS dDos Attack!

daemon@ATHENA.MIT.EDU (Kevin Houle)Fri Mar 28 09:57:13 2003

daemon@ATHENA.MIT.EDU (Kevin Houle)
Fri Mar 28 09:57:13 2003