[AusNOG] DNS reflection attack
Tom Storey
tom at snnap.net
Thu Jan 22 21:18:41 EST 2009
Seems there is a 3rd IP that is also sending queries, though only once a
minute or thereabouts.
And according to nanog its actually an attack against some nameservers
operated by ISPrime.
ISPrime suggests blocking any traffic from those two IPs that is not UDP
source port 53, as they are authoritative name servers only.
3rd IP is 76.9.16.171.
In the short time that I have had my ACL in for the other two Ive blocked
over 11,000 packets.
Tom
> Is anyone else unfortunate enough to be "participating" in a DNS
> reflection attack at present?
>
> A few days ago I discovered that I had been part of one starting about 11
> days earlier. I promptly ACL'd off the (spoofed) source IP in question to
> spare the disk on the box running my DNS server (log file was getting
> quite large), but it appears that two more IPs are now being targeted.
>
> So far the 3 that I have seen are:
>
> 69.50.142.11
> 66.230.160.1
> 66.230.128.15
>
> The first IP seemed to host a bunch of shemale related websites (according
> to a simple google search for the IP), I can only guess the next two do
> aswell.
>
> Others might like to check whether they are seeing anything from these
> IPs, and block them out too.
>
> Im seeing ~5 requests/sec combined from the second and 3rd IPs at the
> moment.
>
> Unfortunately this is hitting me on my home DSL connection.
>
> Tom
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
More information about the AusNOG
mailing list