[nsp-sec] DNS reflection DDoS
Michael Sinatra
michael at rancid.berkeley.edu
Sun Sep 5 17:52:31 EDT 2010
Hi,
I found about two dozen hosts in AS25 that were apparently participating
in a DNS reflection DDoS attack. The hosts were responding to queries
for ". NS" and the source of the queries (possibly spoofed to appear to
be coming from the victim hosts) were as follows:
AS | IP | AS Name
6849 | 109.72.146.201 | UKRTELNET JSC UKRTELECOM,
36351 | 173.244.211.220 | SOFTLAYER - SoftLayer Technologies Inc.
Again, please note that the above hosts appear to be victims, not attackers.
The hosts on our end that were participating in the attack have been
null-routed.
What's interesting is that the hosts on our end were definitely
responding to DNS queries from outside of our network (i.e. "open
resolvers"), but they did not appear to be true resolvers. For each
query they received, they would query their configured DNS servers, even
given that the queries were the same over and over again. That is,
there was no appearance of any caching going on. I will see if any of
the hosts come up with interesting malware that might indicate what's
going on, but it looks to me like some simple DNS reflector was installed.
You may want to check for flows to these hosts from your net. The first
host (109.72.146.201) would have been under attack beginning roughly
02-sep-2010 12:42:00 UTC and the second host (173.244.211.220) from
roughly 05-Sep-2010 16:14 UTC to the present.
michael
More information about the nsp-security
mailing list