[nsp-sec] DNS DDoS uptick
Hank Nussbacher
hank at efes.iucc.ac.il
Tue Apr 7 22:43:20 EDT 2009
On Tue, 7 Apr 2009, Tom Daly wrote:
> ----------- nsp-security Confidential --------
>
>> we've been on the end of two DDoS's in the last week. One is port 53
>> against our DNS infrastructure, the other against a DNS related
>> service, our mail and web forwarding capability. We have not had a
>> measurable DDoS for at least the last year.
>
> We can confirm that same in the past months. We've had considerable amounts of ICMP, non-port 53 UDP flooding, and SYN floods. Nothing has been in-DNS-protocol...yet. Our e-mail farms have been under sustained loads for dictionary and joe-job floods.
>
> Rodney - can you confirm if the attack last week was directed at UltraDNS itself, and not a customer domain?
>
> Can anyone from Register.com confirm if this is directed at your infrastructure, or a customer domain? How about AfterNIC? Are these attacks in-DNS-protocol?
>
>> This "feels" like a sea change in the environment.
>
> Agree!
What if this is some "weapons test" before the real deal? How did any of
those attacked make the attack stop? What mitigation technique was used?
Or did it simply stop on its own? If it stopped on its own - I guess we
can safely assume we will be seeing more of it. Has any root server been
attacked in such a way?
-Hank
More information about the nsp-security
mailing list