[AusNOG] DNS reflection attack
Ian Manners
2600 at comkal.com.au
Fri Jan 23 01:16:19 EST 2009
Hi Tom,
> Is anyone else unfortunate enough to be "participating" in a DNS
> reflection attack at present?
Yep :-(
Though it's slowly changing in a very odd way. I'm seeing a lot of
what should be DNS TCP or UDP packets attempting to come
through on ICMP as well so something out there is very broke.
Check <http://isc.sans.org/diary.html?storyid=5713>
Also mentioned on the Bind mailing list.
Also seeing a lot of these in my bind logs, which I havent seen
before about 2 days ago.
[localhost] Jan 23 00:10:18 named.exe[40322]: dispatch 0x10512b0: shutting down due
to TCP receive error: 200.189.40.10#53: connection reset
10.40.189.200.in-addr.arpa domain name pointer b.dns.br
I initially though it was something on my end so I even powered cycled
everything including the router but still getting it.
All coming from supposed DNS servers in countries none of my
clients or myself normally deal with, like Brazil, South Africa, China,
Korea, Indonesia, Thailand etc
Cheers
Ian B Manners
Someday we'll look back on all this and plow into a parked car.
More information about the AusNOG
mailing list