[AusNOG] DNS reflection attack
tom at snnap.net
Sat Jan 24 17:01:36 EST 2009
For those who dont follow nanog:
The attack on 220.127.116.11 and 18.104.22.168 appears to have slowed
significantly or stopped completely, but now it appears that
22.214.171.124 is a new target.
On 22/01/2009, at 8:48 PM, Tom Storey wrote:
> Seems there is a 3rd IP that is also sending queries, though only
> once a
> minute or thereabouts.
> And according to nanog its actually an attack against some nameservers
> operated by ISPrime.
> ISPrime suggests blocking any traffic from those two IPs that is not
> source port 53, as they are authoritative name servers only.
> 3rd IP is 126.96.36.199.
> In the short time that I have had my ACL in for the other two Ive
> over 11,000 packets.
>> Is anyone else unfortunate enough to be "participating" in a DNS
>> reflection attack at present?
>> A few days ago I discovered that I had been part of one starting
>> about 11
>> days earlier. I promptly ACL'd off the (spoofed) source IP in
>> question to
>> spare the disk on the box running my DNS server (log file was getting
>> quite large), but it appears that two more IPs are now being
>> So far the 3 that I have seen are:
>> The first IP seemed to host a bunch of shemale related websites
>> to a simple google search for the IP), I can only guess the next
>> two do
>> Others might like to check whether they are seeing anything from
>> IPs, and block them out too.
>> Im seeing ~5 requests/sec combined from the second and 3rd IPs at the
>> Unfortunately this is hitting me on my home DSL connection.
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
> AusNOG mailing list
> AusNOG at lists.ausnog.net
More information about the AusNOG