[88968] in North American Network Operators' Group
Re: DNS deluge for x.p.ctrc.cc
daemon@ATHENA.MIT.EDU (Barrett Lyon)
Sun Feb 26 22:02:45 2006
In-Reply-To: <3A38E5B1-4E84-411E-836B-175856DAFB8D@blyon.com>
From: Barrett Lyon <blyon@prolexic.com>
Date: Sun, 26 Feb 2006 22:02:17 -0500
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
I thought I would chime in quickly, one of my customers has been one
of the targets of this attack. The x.p.ctrc.cc DNS server was shut
down on the 15th, the response itself had a 360000 TTL so that should
be expired by now.
On this end of it, the largest traffic spike we received was around 8
Gbps. The last time we saw this traffic was on the 21st around 2 GMT
with traffic at about 2 Gbps, it has lost a lot of steam. If you see
unusual DNS traffic to AS32787 or 72.52.0.0/18, chances are it is
part of this attack or the attacker setup a new RR to query against.
I've yet to see a copy of the malware that is doing the spoofed
queries itself. If anyone has it, I would like to take a look.
Thanks and I am really impressed with everyone's reaction to this
attack. Especially Rob Thomas, he really has a grip on it.
Cheers,
-Barrett
