[nsp-sec] Spoofed DNS traffic from internal address space
Jason Chambers
jchambers at ucla.edu
Wed Apr 27 21:29:24 EDT 2011
On 4/27/11 1:50 AM, White, Gerard wrote:
> Hi Jason.
>
> We provide commodity transit for one University that was subject to a similar issue...
>
> In their case, spoofed DNS traffic was being aimed at their DNS infrastructure, but the TTL
> was getting carefully trimmed so that various routers in our IP Core (1,2,3 hops away) would
> bombard them with ICMP Type 11 Code 0 :(
>
> We eventually back-traced the offending traffic flows as coming via Level3.
>
> Mr. Janish and team were kind enough to block said traffic - not sure if he completed a
> back-trace exercise to discover its ASN origin.
>
Thanks for the info on this. Interesting attack.
The traffic has a TTL between 4 and 6 just before entering our border.
I'm surprised it has continued for so long without modification.
>From working with our upstream NSP we were able to determine the traffic
is sourced from the ChinaTel peering so hopefully I hear something from
those guys.
Regards,
--
Jason Chambers
UCLA
jchambers at ucla.edu
310-206-5603
More information about the nsp-security
mailing list