[AusNOG] DNS reflection attack

Ian Manners 2600 at comkal.com.au
Fri Jan 23 01:16:19 EST 2009

Hi Tom,

> Is anyone else unfortunate enough to be "participating" in a DNS
> reflection attack at present?

Yep :-(

Though it's slowly changing in a very odd way. I'm seeing a lot of
what should be DNS TCP or UDP packets attempting to come
through on ICMP as well so something out there is very broke.

Check <http://isc.sans.org/diary.html?storyid=5713>

Also mentioned on the Bind mailing list.

Also seeing a lot of these in my bind logs, which I havent seen
before about 2 days ago.

[localhost] Jan 23 00:10:18 named.exe[40322]: dispatch 0x10512b0: shutting down due 
to TCP receive error: connection reset domain name pointer b.dns.br

I initially though it was something on my end so I even powered cycled
everything including the router but still getting it.

All coming from supposed DNS servers in countries none of my
clients or myself normally deal with, like Brazil, South Africa, China,
Korea, Indonesia, Thailand etc 

Ian B Manners

Someday we'll look back on all this and plow into a parked car.

More information about the AusNOG mailing list