<html><body style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; font-size: 12px;"><blockquote><br />
+1 <div>The same with 8.8.4.4 and OpenDNS public resolvers<div><br /></div><div>ABS is using geo-blocking with layer-3 IP ACL on the routers upstream from their DNS servers. VPN users terminating outside of Australia (yay HBO Go and Amazon video), or employees of MNCs with resolvers outside of Australia. </div><div><p class="p1"><span class="s1">Because it was a layer-3 block, they just dropped the traffic and the user’s resolver would keep sending DNS queries. As a result, there were numerous resolvers sending a flood of requests to <a href="http://census.abs.gov.au/"><span class="s2">census.abs.gov.au</span></a> DNS servers which looked like a small amplification attack.</span></p><p class="p1"><span class="s1">Additionally they have taken the wrong move of increasing TTL's to try to reduce load on their DNS. This makes it hard to move to a cloud DDOS provider as the dns will take 24hrs to propagate. 14400 seconds.</span></p>www.census.abs.gov.au.<span class="Apple-tab-span"> </span><b>14400</b><span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>A<span class="Apple-tab-span"> </span>150.207.169.5<p class="p1"><span class="s1"><br /></span></p><p class="p1"><span class="s1">------</span></p><p class="p1"><span class="s1">$ dig +trace www.census.abs.gov.au @61.88.88.88</span></p><p class="p2"><span class="s1"></span><br /></p><p class="p1"><span class="s1">; <<>> DiG 9.8.3-P1 <<>> +trace www.census.abs.gov.au @61.88.88.88</span></p><p class="p1"><span class="s1">;; global options: +cmd</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>j.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>k.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>l.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>m.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>a.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>b.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>c.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>d.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>e.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>f.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>g.root-servers.net.</span></p><p class="p1"><span class="s1">..<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>h.root-servers.net.</span></p><p class="p1"><span class="s1">.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>333196<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>i.root-servers.net.</span></p><p class="p1"><span class="s1">;; Received 228 bytes from 61.88.88.88#53(61.88.88.88) in 152 ms</span></p><p class="p2"><span class="s1"></span><br /></p><p class="p1"><span class="s1">au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>172800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>a.au.</span></p><p class="p1"><span class="s1">au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>172800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>b.au.</span></p><p class="p1"><span class="s1">au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>172800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>u.au.</span></p><p class="p1"><span class="s1">au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>172800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>v.au.</span></p><p class="p1"><span class="s1">au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>172800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>w.au.</span></p><p class="p1"><span class="s1">au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>172800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>x.au.</span></p><p class="p1"><span class="s1">au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>172800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>y.au.</span></p><p class="p1"><span class="s1">au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>172800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>z.au.</span></p><p class="p1"><span class="s1">;; Received 491 bytes from 199.7.83.42#53(199.7.83.42) in 114 ms</span></p><p class="p2"><span class="s1"></span><br /></p><p class="p1"><span class="s1">gov.au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>86400<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>w.au.</span></p><p class="p1"><span class="s1">gov.au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>86400<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>x.au.</span></p><p class="p1"><span class="s1">gov.au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>86400<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>z.au.</span></p><p class="p1"><span class="s1">gov.au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>86400<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>y.au.</span></p><p class="p1"><span class="s1">;; Received 279 bytes from 58.65.253.73#53(58.65.253.73) in 146 ms</span></p><p class="p2"><span class="s1"></span><br /></p><p class="p1"><span class="s1">abs.gov.au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>14400<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>ns1.telstra.net.</span></p><p class="p1"><span class="s1">abs.gov.au.<span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span>14400<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>ns1.abs.gov.au.</span></p><p class="p1"><span class="s1">;; Received 102 bytes from 37.209.198.5#53(37.209.198.5) in 62 ms</span></p><p class="p2"><span class="s1"></span><br /></p><p class="p1"><span class="s1">census.abs.gov.au.<span class="Apple-tab-span"> </span>10800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>auolpr00dn01d.abs.gov.au.</span></p><p class="p1"><span class="s1">census.abs.gov.au.<span class="Apple-tab-span"> </span>10800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>auolpr00dn02d.abs.gov.au.</span></p><p class="p1"><span class="s1">census.abs.gov.au.<span class="Apple-tab-span"> </span>10800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>auolpr00dn04d.abs.gov.au.</span></p><p class="p1"><span class="s1">census.abs.gov.au.<span class="Apple-tab-span"> </span>10800<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>auolpr00dn03d.abs.gov.au.</span></p><p class="p1"><span class="s1">;; Received 215 bytes from 139.130.4.5#53(139.130.4.5) in 48 ms</span></p><p class="p2"><span class="s1"></span><br /></p><p class="p1"><span class="s1">www.census.abs.gov..au.<span class="Apple-tab-span"> </span><b>14400</b><span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>A<span class="Apple-tab-span"> </span>150.207.169.5</span></p><p class="p1"><span class="s1">www.census.abs.gov.au.<span class="Apple-tab-span"> </span><b>14400<span class="Apple-tab-span"> </span></b>IN<span class="Apple-tab-span"> </span>A<span class="Apple-tab-span"> </span>150.207.169.8</span></p><p class="p1"><span class="s1">census.abs.gov.au.<span class="Apple-tab-span"> </span><b>86400</b><span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>auolpr00dn01d.abs.gov.au.</span></p><p class="p1"><span class="s1">census.abs.gov.au.<span class="Apple-tab-span"> </span><b>86400<span class="Apple-tab-span"> </span></b>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>auolpr00dn03d.abs.gov.au.</span></p><p class="p1"><span class="s1">census.abs.gov.au.<span class="Apple-tab-span"> </span>86400<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>auolpr00dn02d.abs.gov.au.</span></p><p class="p1"><span class="s1">census.abs.gov.au.<span class="Apple-tab-span"> </span>86400<span class="Apple-tab-span"> </span>IN<span class="Apple-tab-span"> </span>NS<span class="Apple-tab-span"> </span>auolpr00dn04d.abs.gov.au.</span></p><p class="p1"><span class="s1">;; Received 183 bytes from 150.207.169.7#53(150.207.169.7) in 9 ms</span></p><p class="p1"><span class="s1">
</span></p><p class="p2"><span class="s1"></span><br /></p><div><blockquote><div dir="ltr"><div class="gmail_quote"><div lang="en-us" xml:lang="en-us"><div><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri;"> <u></u></span></p>
<div style="border:none;border-top:solid #b5c4df 1pt;padding:3pt 0in 0in 0in;">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:#000000;">From: </span>
</b><span style="font-family:Calibri;color:#000000;">Chris Lee <<a href="mailto:chris@datachaos.com.au">chris@datachaos.com.au</a>><br /><b>Date: </b>Thursday, August 11, 2016 at 7:09 PM<br /><b>To: </b>"<a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>" <<a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>><br /><b>Subject: </b>Re: [AusNOG] census issues tonight<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Online so long as you don't use Google DNS for lookups... <u></u>
<u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">; <<>> DiG 9.10.4-P1 <<>> @<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__8.8.8.8&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=fv569LrIV-cypFQUVYMlmz69TV4_76PM3m30R6LCx-0&s=lVEBnodBT1tutMSqVpjploWPMSXH5ioOE1oO1a3y_hQ&e=">8.8..8.8</a>
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__census.abs.gov.au&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=fv569LrIV-cypFQUVYMlmz69TV4_76PM3m30R6LCx-0&s=SjWtw_nm3J4SjJxIdaGpWiN25_EK69qzsxCpYdAIe_o&e=">
census.abs.gov.au</a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">; (1 server found)<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">;; global options: +cmd<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">;; Got answer:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45286<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">;; OPT PSEUDOSECTION:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">; EDNS: version: 0, flags:; udp: 512<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">;; QUESTION SECTION:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">;<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__census.abs.gov.au&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=fv569LrIV-cypFQUVYMlmz69TV4_76PM3m30R6LCx-0&s=SjWtw_nm3J4SjJxIdaGpWiN25_EK69qzsxCpYdAIe_o&e=">census.abs.gov.au</a>.
IN A<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">;; Query time: 33 msec<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">;; SERVER: 8.8.8.8#53(8..8.8.8)<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">;; WHEN: Thu Aug 11 19:06:03 AEST 2016<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">;; MSG SIZE rcvd: 46<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u></p></div><div><div><p class="MsoNormal"><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div><br /></div></blockquote></div></div></div></blockquote></body></html>