[nsp-sec] packet love to DNS server
Jose Nazario
jose at arbor.net
Fri Apr 22 18:29:54 EDT 2011
On Apr 22, 2011, at 4:34 PM, Justin M. Streiner wrote:
> We've been seeing excessive amounts of packet love to udp/53 on our of our DNS servers (136.142.57.10) on and off for the past few days (starting on 19 April). It hasn't been a major issue, but the CPU on that server, or on the firewall in front of it, have occasionally gotten somewhat unhappy...
>
> We've been blocking the offending hosts at the borders as we see them, so the situation isn't critical, but if anyone could assist locating and re-educating the offending hosts, I'd certainly appreciate it. If there's any indication that the offending hosts are pwnd, I'd be interested in hearing about any forensic info, if found.
i believe the IPs you listed are all DNS servers and i bet the attack you're seeing is a DNS reflection and amplification attack. i have no specific details on the attack however.
_____________________________
jose nazario, ph.d. jose at arbor.net
sr. manager of security research, arbor networks
http://asert.arbor.net/
More information about the nsp-security
mailing list