[nsp-sec] DNS DDoS - "." query reply flood
White, Gerard
Gerard.White at bellaliant.ca
Tue Jun 2 08:24:00 EDT 2009
Greetings.
Actually there's a generator or series of generators involved in this
attack that are messed-up.
They're pushing UDP Traffic towards the "select" group of open resolvers
with a Destination UDP port of 0.
Apart from the UDP Port 0 mistake (and the resulting invalid UDP Header
Checksum), it's a perfectly valid
Type 2 (Authoritative Name Server) query as well.
Amplification factor for Open resolvers that return a proper answer is
45 Bytes In to 528 Bytes out (11.73x)
GW
855 - Bell Aliant
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Jose Nazario
Sent: Monday, June 01, 2009 12:55 PM
To: nsp-security NSP
Subject: [nsp-sec] DNS DDoS - "." query reply flood
----------- nsp-security Confidential --------
picked up an amplified/reflected DNS "." query flood aimed at
81.176.232.101
AS | IP | AS Name
8342 | 81.176.232.101 | RTCOMM-AS RTComm.RU Autonomous System
may be worth looking for flows that purport to be from that host as a
means to track down the tools in use here. would be nice to ID the
tools,
the botnet(s) and axe them as they can cause pain to other networks.
--
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
manager of security research arbor networks
v: (734) 821 1427 http://asert.arbor.net/
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list