[87934] in North American Network Operators' Group
Re: DOS attack against DNS?
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Sun Jan 15 11:01:34 2006
Date: Sun, 15 Jan 2006 17:00:19 +0100
From: Jeroen Massar <jeroen@unfix.org>
To: Mark Andrews <Mark_Andrews@isc.org>
Cc: nanog@merit.edu, garlic@garlic.com
In-Reply-To: <200601150733.k0F7XX0p079455@drugs.dv.isc.org>
Errors-To: owner-nanog@merit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig8BD22DF9AD3BC6F2B19E8B12
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Mark Andrews wrote:
> In article <43C9EF72.50803@garlic.com> you write:
>> I just started seeing thousands of DNS queries that look like some sor=
t=20
>> of DOS attack. One log entry is below with the IP obscured.
>>
>> client xx.xx.xx.xx#6704: query: z.tn.co.za ANY ANY +E
>>
>> When you look at z.tn.co.za you see a huge TXT record.
>>
>> Is anyone else seeing this attack or am I the lucky one? Is this a=20
>> known attack?
>>
>> Roy
>=20
> You are being used as a DoS amplifier. The queries will be
> spoofed. Someone needs to learn about BCP 38.
Next to not running a $world recursive/caching service ;)
Which is where the OP can actually do something about this problem.
Folks who don't do ingress filtering will not be bothered to get it
going unfortunately...
Greets,
Jeroen
--------------enig8BD22DF9AD3BC6F2B19E8B12
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Jeroen Massar / http://unfix.org/~jeroen/
iD8DBQFDynGXKaooUjM+fCMRAgG/AKCNVoBB0E9Hur90NEBGZvJS+OaPLACfVv4j
JrxBHziLtLXbjchG9/TlMvg=
=A6ha
-----END PGP SIGNATURE-----
--------------enig8BD22DF9AD3BC6F2B19E8B12--
