[88930] in North American Network Operators' Group
Re: DNS deluge for x.p.ctrc.cc
daemon@ATHENA.MIT.EDU (Gadi Evron)
Fri Feb 24 13:21:20 2006
Date: Fri, 24 Feb 2006 20:19:18 +0200
From: Gadi Evron <ge@linuxbox.org>
To: "Estes, Paul" <pestes@Covad.COM>
Cc: nanog list <nanog@merit.edu>
In-Reply-To: <DE218759AAF51B45B534A59F5166425405B32558@ZANEVS03.cc-ntd1.covad.com>
Errors-To: owner-nanog@merit.edu
Estes, Paul wrote:
> Actually, what we are seeing does not appear to be an amplification
> attack. It appears to be a request flood from infected machines.
>
> We have anti-spoofing filters on our upstream connections as well as our
> subscriber's access lines. The source addresses are not spoofed. They
> are valid subscriber source IP's.
>
> Based on some cached entries I have found in other nameservers, CTRC.CC
> was apparently hacked and was delegating a number of subdomains to
> another nameserver that was issuing the 4K TXT record. The delegation
> has now been removed, and the nameserver they were delegated to appears
> to be offline.
Do they all happen to be connecting to one outside IP address? :)