[AusNOG] census issues tonight

johnstsquare at tpg.com.au johnstsquare at tpg.com.au
Thu Aug 11 21:39:41 EST 2016


 +1 The same with 8.8.4.4 and OpenDNS public resolvers
ABS is using geo-blocking with layer-3 IP ACL on the routers upstream
from their DNS servers.  VPN users terminating outside of Australia
(yay HBO Go and Amazon video), or employees of MNCs with resolvers
outside of Australia.  

	Because it was a layer-3 block, they just dropped the traffic and the
user’s resolver would keep sending DNS queries.  As a result, there
were numerous resolvers sending a flood of requests to
census.abs.gov.au [1] DNS servers which looked like a small
amplification attack.

	Additionally they have taken the wrong move of increasing TTL's to
try to reduce load on their DNS. This makes it hard to move to a cloud
DDOS provider as the dns will take 24hrs to propagate.  14400
seconds.www.census.abs.gov.au. 14400 IN A 150.207.169.5

	------

	$ dig +trace www.census.abs.gov.au @61.88.88.88

	;  DiG 9.8.3-P1  +trace www.census.abs.gov.au @61.88.88.88

	;; global options: +cmd

	.   333196 IN NS j.root-servers.net.

	.   333196 IN NS k.root-servers.net.

	.   333196 IN NS l.root-servers.net.

	.   333196 IN NS m.root-servers.net.

	.   333196 IN NS a.root-servers.net.

	.   333196 IN NS b.root-servers.net.

	.   333196 IN NS c.root-servers.net.

	.   333196 IN NS d.root-servers.net.

	.   333196 IN NS e.root-servers.net.

	.   333196 IN NS f.root-servers.net.

	.   333196 IN NS g.root-servers.net.

	..   333196 IN NS h.root-servers.net.

	.   333196 IN NS i.root-servers.net.

	;; Received 228 bytes from 61.88.88.88#53(61.88.88.88) in 152 ms

	au.   172800 IN NS a.au.

	au.   172800 IN NS b.au.

	au.   172800 IN NS u.au.

	au.   172800 IN NS v.au.

	au.   172800 IN NS w.au.

	au.   172800 IN NS x.au.

	au.   172800 IN NS y.au.

	au.   172800 IN NS z.au.

	;; Received 491 bytes from 199.7.83.42#53(199.7.83.42) in 114 ms

	gov.au.   86400 IN NS w.au.

	gov.au.   86400 IN NS x.au.

	gov.au.   86400 IN NS z.au.

	gov.au.   86400 IN NS y.au.

	;; Received 279 bytes from 58.65.253.73#53(58.65.253.73) in 146 ms

	abs.gov.au.  14400 IN NS ns1.telstra.net.

	abs.gov.au.  14400 IN NS ns1.abs.gov.au.

	;; Received 102 bytes from 37.209.198.5#53(37.209.198.5) in 62 ms

	census.abs.gov.au. 10800 IN NS auolpr00dn01d.abs.gov.au.

	census.abs.gov.au. 10800 IN NS auolpr00dn02d.abs.gov.au.

	census.abs.gov.au. 10800 IN NS auolpr00dn04d.abs.gov.au.

	census.abs.gov.au. 10800 IN NS auolpr00dn03d.abs.gov.au.

	;; Received 215 bytes from 139.130.4.5#53(139.130.4.5) in 48 ms

	www.census.abs.gov..au. 14400 IN A 150.207.169.5

	www.census.abs.gov.au. 14400 IN A 150.207.169.8

	census.abs.gov.au. 86400 IN NS auolpr00dn01d.abs.gov.au.

	census.abs.gov.au. 86400 IN NS auolpr00dn03d.abs.gov.au.

	census.abs.gov.au. 86400 IN NS auolpr00dn02d.abs.gov.au.

	census.abs.gov.au. 86400 IN NS auolpr00dn04d.abs.gov.au.

	;; Received 183 bytes from 150.207.169.7#53(150.207.169.7) in 9 ms

	   

	FROM:  Chris Lee 
DATE: Thursday, August 11, 2016 at 7:09 PM
TO: "ausnog at lists.ausnog.net [3]" 
SUBJECT: Re: [AusNOG] census issues tonight   

	      

	Online so long as you don't use Google DNS for lookups...    

	     

	;  DiG 9.10.4-P1  @8.8..8.8 [5] census.abs.gov.au [6]   

	; (1 server found)   

	;; global options: +cmd   

	;; Got answer:   

	;; ->>HEADER

Links:
------
[1] http://census.abs.gov.au/
[2] mailto:chris at datachaos.com.au
[3] mailto:ausnog at lists.ausnog.net
[4] mailto:ausnog at lists.ausnog.net
[5]
https://urldefense.proofpoint.com/v2/url?u=http-3A__8.8.8.8&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=fv569LrIV-cypFQUVYMlmz69TV4_76PM3m30R6LCx-0&s=lVEBnodBT1tutMSqVpjploWPMSXH5ioOE1oO1a3y_hQ&e=
[6]
https://urldefense.proofpoint.com/v2/url?u=http-3A__census.abs.gov.au&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=fv569LrIV-cypFQUVYMlmz69TV4_76PM3m30R6LCx-0&s=SjWtw_nm3J4SjJxIdaGpWiN25_EK69qzsxCpYdAIe_o&e=
[7]
https://urldefense.proofpoint.com/v2/url?u=http-3A__census.abs.gov.au&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=fv569LrIV-cypFQUVYMlmz69TV4_76PM3m30R6LCx-0&s=SjWtw_nm3J4SjJxIdaGpWiN25_EK69qzsxCpYdAIe_o&e=

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160811/921f44a0/attachment.html>


More information about the AusNOG mailing list