[nsp-sec] packet love to DNS server
Stephen Gill
gillsr at cymru.com
Fri Apr 22 18:46:05 EDT 2011
It is...
I saw a bunch of DNS servers responding to what looked like isc.org ANY
queries.
-- steve
On 4/22/11 3:29 PM, "Jose Nazario" <jose at arbor.net> wrote:
> ----------- nsp-security Confidential --------
>
> On Apr 22, 2011, at 4:34 PM, Justin M. Streiner wrote:
>
>> We've been seeing excessive amounts of packet love to udp/53 on our of our
>> DNS servers (136.142.57.10) on and off for the past few days (starting on 19
>> April). It hasn't been a major issue, but the CPU on that server, or on the
>> firewall in front of it, have occasionally gotten somewhat unhappy...
>>
>> We've been blocking the offending hosts at the borders as we see them, so the
>> situation isn't critical, but if anyone could assist locating and
>> re-educating the offending hosts, I'd certainly appreciate it. If there's
>> any indication that the offending hosts are pwnd, I'd be interested in
>> hearing about any forensic info, if found.
>
> i believe the IPs you listed are all DNS servers and i bet the attack you're
> seeing is a DNS reflection and amplification attack. i have no specific
> details on the attack however.
>
> _____________________________
> jose nazario, ph.d. jose at arbor.net
> sr. manager of security research, arbor networks
> http://asert.arbor.net/
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.team-cymru.org | +1 630 230 5423 | gillsr at cymru.com
We just launched our new Training Practice, see
http://www.team-cymru.com/Services/Training/
More information about the nsp-security
mailing list