[nsp-sec] DNS Reflection DDoS
King, Link
Link.King at neustar.com
Mon Feb 28 23:39:45 EST 2011
>We have been getting hit with a DNS reflection attack. Here are the specs:
>
>It's currently hitting 204.74.115.1, though it's hit a few different IPs
>of ours. It's an ANY query for isc.org with the EDNS option set to 4096.
>
>Looks like this:
>
>23:55:09.105010 00:19:e2:2d:45:79 > 00:30:48:cb:86:f0, ethertype IPv4
>(0x0800), length 78: (tos 0x0, ttl 235, id 50959, offset 0, flags
>[none], proto: UDP (17), length: 64) 204.74.109.1.25345 >
>204.74.103.145.53: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT
>UDPsize=4096 (36)
FYI - That timestamp is from previous event similar in nature. This
latest one started around 01:52 GMT. Of note ... The spoofed source port
is always 25345.
-Link
>
>We've captured over 3400 IPs involved in the attack. Full list can be
>found here. Not sure what if anything can be done.
>
>https://asn.cymru.com/nsp-sec/upload/1298951475.whois.txt
>
>Full list beneath my sig.
>
>Cheers,
>Nick
>
>- --
>Nicholas Ianelli: Neustar, Inc.
>Security Operations
>
>46000 Center Oak Plaza Sterling, VA 20166
>+1 571.434.4691 - http://www.neustar.biz
--
Link King
link.king at neustar.com
More information about the nsp-security
mailing list