[nsp-sec] 5Gbit DNS Reflection/amplication DoS (AS3356 AS4323, AS3257, AS6461)
Phil Rosenthal
pr at isprime.com
Wed Jan 21 14:52:10 EST 2009
Hello,
We are receiving a pretty large DDoS attack on our nameservers, ns/
ns2.isprime.com
You can see an incident report on SANS about it for a little bit more
information:
http://isc.sans.org/diary.html?storyid=5713
We've done a bit of effort to backtrace as much as we could, though we
are at the mercy of Level3 at this point, who thus far has not made
any progress in backtracing anything.
Speaking to other hosts privately who were receiving the spoofed
stream towards their nameservers, they generally backtrace to (in
order) Time Warner Telecom/4323, Level3/3356, Tiscali/3257, and
Abovenet/6461
Further, one of the nameservers was anycasted, and gives a strong
suggestion that the spoofed packets are coming from somewhere on the
USA East Coast, and likely a single source.
If anyone has any ability to backtrace this, I'd appreciate it.
The pattern should match:
source ip 66.230.128.15 and 66.230.160.1
source port is random, but NOT 53
dest port 53
protocol udp
If you can't specifically only look for destination port 53, you will
be looking at reflections, which won't be useful.
Please do not blackhole these ip's as they are live production
nameservers with many popular domains hosted on them.
Thanks,
-Phil
AS23393
ISPrime
More information about the nsp-security
mailing list