[nsp-sec] packet love to DNS server
Jose Nazario
jose at arbor.net
Fri Apr 22 18:52:48 EDT 2011
that's exactly the attack nick ianelli described about two months ago:
From: Nicholas Ianelli <ni at centergate.net>
Subject: [nsp-sec] DNS Reflection DDoS
Date: February 28, 2011 11:26:03 PM EST
justin your box is one of the amplifiers identified then.
On Apr 22, 2011, at 6:46 PM, Stephen Gill wrote:
> It is...
>
> I saw a bunch of DNS servers responding to what looked like isc.org ANY
> queries.
>
> -- steve
>
>
> On 4/22/11 3:29 PM, "Jose Nazario" <jose at arbor.net> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> On Apr 22, 2011, at 4:34 PM, Justin M. Streiner wrote:
>>
>>> We've been seeing excessive amounts of packet love to udp/53 on our of our
>>> DNS servers (136.142.57.10) on and off for the past few days (starting on 19
>>> April). It hasn't been a major issue, but the CPU on that server, or on the
>>> firewall in front of it, have occasionally gotten somewhat unhappy...
>>>
>>> We've been blocking the offending hosts at the borders as we see them, so the
>>> situation isn't critical, but if anyone could assist locating and
>>> re-educating the offending hosts, I'd certainly appreciate it. If there's
>>> any indication that the offending hosts are pwnd, I'd be interested in
>>> hearing about any forensic info, if found.
>>
>> i believe the IPs you listed are all DNS servers and i bet the attack you're
>> seeing is a DNS reflection and amplification attack. i have no specific
>> details on the attack however.
>>
>> _____________________________
>> jose nazario, ph.d. jose at arbor.net
>> sr. manager of security research, arbor networks
>> http://asert.arbor.net/
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>
> --
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.team-cymru.org | +1 630 230 5423 | gillsr at cymru.com
>
> We just launched our new Training Practice, see
> http://www.team-cymru.com/Services/Training/
>
>
_____________________________
jose nazario, ph.d. jose at arbor.net
sr. manager of security research, arbor networks
http://asert.arbor.net/
More information about the nsp-security
mailing list