[nsp-sec] DDoS Attack in progress
sthaug at nethelp.no
sthaug at nethelp.no
Fri Dec 23 16:40:04 EST 2011
> I am seeing a steady stream, but I am also seeing responses ? Let me
> see if I can get any access to these customer boxes and see what they
> are doing.
It's a standard spoofed source DNS amplification attack. E.g.:
22:33:13.134980 IP 178.251.233.35.53 > 62.176.192.51.53: 952+ [1au] ANY? ripe.net. (38)
22:33:13.135129 IP 178.251.233.35.53 > 62.176.192.48.53: 952+ [1au] ANY? ripe.net. (38)
22:33:13.135175 IP 178.251.233.35.53 > 62.176.195.57.53: 952+ [1au] ANY? ripe.net. (38)
22:33:13.158348 IP 62.176.195.57.53 > 178.251.233.35.53: 952 23/0/16 A 193.0.6.139,[|domain]
22:33:13.158757 IP 62.176.192.51.53 > 178.251.233.35.53: 952 13/6/3 DNSKEY[|domain]
22:33:13.158958 IP 62.176.192.48.53 > 178.251.233.35.53: 952 13/6/3 DNSKEY[|domain]
I can confidently say the source is spoofed because I see the
incoming traffic from 178.251.233.35 via several different border
routers.
The original report mentioned port 0 - I wouldn't be surprised if
these are actually fragments caused by a large DNS reply being
fragmented on the way.
Now to swat the offending amplifiers within my own AS ...
Steinar Haug, AS 2116
More information about the nsp-security
mailing list