[nsp-sec] UDP love against AS5539

[King, Link]

>Looking more closely at the queries, I see ANY queries for the domains
>which are *delegated* from the respective two name servers.

We have be seeing this since the beginning of December quite frequently.
It's been puzzling for precisely the reasons you explained.  Not the best
amplification available but very interesting that someone put this
together.  I can't very well drop queries for legitimate zones we are
authoritative for.  It's not terribly difficult to deal with in it's
current form but the concerning part is if someone takes it a step in a
direction away from reflection attacks Š

FWIW, the vast majority of the sources/targets we've seen are out of China
(mostly Chinanet).  The spikes are typically in the 100-200 Mb/s range
inbound to us.  If anyone is interested I can certainly provide additional
detail.

--
Link King
link.king at neustar.com