[nsp-sec] DNS Type 2 (Authoritative NS) query for "." DDoS ongoing-> Attn AS 23393 (ISPrime)
Smith, Donald
Donald.Smith at qwest.com
Tue Jan 20 11:03:09 EST 2009
That is a possiblity but in most cases packets that get dropped STILL create netflow. I know that is true for acl dropped packets in at least most cases.
Not sure about urpf or other bcp38 methods.
Donald.Smith at qwest.com<mailto:Donald.Smith at qwest.com>
Please cc the handlers to keep them all in the loop.
________________________________
From: Danny McPherson [danny at tcb.net]
Sent: Tuesday, January 20, 2009 8:56 AM
To: Smith, Donald
Cc: White, Gerard; nsp-security at puck.nether.net
Subject: Re: [nsp-sec] DNS Type 2 (Authoritative NS) query for "." DDoS ongoing-> Attn AS 23393 (ISPrime)
On Jan 20, 2009, at 8:32 AM, Smith, Donald wrote:
> Strangely enough I saw NONE.
> I checked two days of netflow. This looks like it was a very small
> set of attackers.
> The sites involved are known for hosting porn. I suspect this is
> some type of holy war or one porn owner fighting another?? We do
> have decent bcp38 so it may have been dropped before any netflow was
> created?
Or perhaps your anti-spoofing application quashed
them all? :-)
-danny
More information about the nsp-security
mailing list