[AusNOG] DNS reflection attack

Tom Storey tom at snnap.net
Thu Jan 22 20:45:23 EST 2009


Is anyone else unfortunate enough to be "participating" in a DNS
reflection attack at present?

A few days ago I discovered that I had been part of one starting about 11
days earlier. I promptly ACL'd off the (spoofed) source IP in question to
spare the disk on the box running my DNS server (log file was getting
quite large), but it appears that two more IPs are now being targeted.

So far the 3 that I have seen are:

69.50.142.11
66.230.160.1
66.230.128.15

The first IP seemed to host a bunch of shemale related websites (according
to a simple google search for the IP), I can only guess the next two do
aswell.

Others might like to check whether they are seeing anything from these
IPs, and block them out too.

Im seeing ~5 requests/sec combined from the second and 3rd IPs at the moment.

Unfortunately this is hitting me on my home DSL connection.

Tom




More information about the AusNOG mailing list