[AusNOG] DNS reflection attack
Steven Lisson
stevel at dedicatedservers.net.au
Thu Jan 22 21:30:20 EST 2009
Hi,
I think you will find that many people's servers are involved in this
type of attack (have seen it on our network and blocking where
appropriate on a network level), there has been extensive discussion on
the Nanog list about it and would recommend reading the archives if your
interested.
One of the destinations attacked/spoofed, ISPrime (the last two IP's
mentioned) has said that the two IP's were authoritative nameservers and
should not make DNS requests so blocking any requests from them to port
53 should block any illegitimate traffic.
Steve
-----Original Message-----
From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Tom Storey
Sent: Thursday, 22 January 2009 7:45 PM
To: ausnog at ausnog.net
Subject: [AusNOG] DNS reflection attack
Is anyone else unfortunate enough to be "participating" in a DNS
reflection attack at present?
A few days ago I discovered that I had been part of one starting about
11
days earlier. I promptly ACL'd off the (spoofed) source IP in question
to
spare the disk on the box running my DNS server (log file was getting
quite large), but it appears that two more IPs are now being targeted.
So far the 3 that I have seen are:
69.50.142.11
66.230.160.1
66.230.128.15
The first IP seemed to host a bunch of shemale related websites
(according
to a simple google search for the IP), I can only guess the next two do
aswell.
Others might like to check whether they are seeing anything from these
IPs, and block them out too.
Im seeing ~5 requests/sec combined from the second and 3rd IPs at the
moment.
Unfortunately this is hitting me on my home DSL connection.
Tom
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list