[AusNOG] DNS reflection attack

Tom Storey tom at snnap.net
Sat Jan 24 17:01:36 EST 2009 

For those who dont follow nanog:

The attack on 66.230.160.1 and 66.230.128.15 appears to have slowed  
significantly or stopped completely, but now it appears that  
63.217.28.226 is a new target.

Tom

On 22/01/2009, at 8:48 PM, Tom Storey wrote:

> Seems there is a 3rd IP that is also sending queries, though only  
> once a
> minute or thereabouts.
>
> And according to nanog its actually an attack against some nameservers
> operated by ISPrime.
>
> ISPrime suggests blocking any traffic from those two IPs that is not  
> UDP
> source port 53, as they are authoritative name servers only.
>
> 3rd IP is 76.9.16.171.
>
> In the short time that I have had my ACL in for the other two Ive  
> blocked
> over 11,000 packets.
>
> Tom
>
>> Is anyone else unfortunate enough to be "participating" in a DNS
>> reflection attack at present?
>>
>> A few days ago I discovered that I had been part of one starting  
>> about 11
>> days earlier. I promptly ACL'd off the (spoofed) source IP in  
>> question to
>> spare the disk on the box running my DNS server (log file was getting
>> quite large), but it appears that two more IPs are now being  
>> targeted.
>>
>> So far the 3 that I have seen are:
>>
>> 69.50.142.11
>> 66.230.160.1
>> 66.230.128.15
>>
>> The first IP seemed to host a bunch of shemale related websites  
>> (according
>> to a simple google search for the IP), I can only guess the next  
>> two do
>> aswell.
>>
>> Others might like to check whether they are seeing anything from  
>> these
>> IPs, and block them out too.
>>
>> Im seeing ~5 requests/sec combined from the second and 3rd IPs at the
>> moment.
>>
>> Unfortunately this is hitting me on my home DSL connection.
>>
>> Tom
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list