[nsp-sec] DNS Reflection DDoS
Brian J Smith-Sweeney
bsmithsweeney at nyu.edu
Wed Mar 2 11:01:16 EST 2011
On Mon, Feb 28, 2011 at 11:26 PM, Nicholas Ianelli <ni at centergate.net> wrote:
>
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We have been getting hit with a DNS reflection attack. Here are the specs:
>
> It's currently hitting 204.74.115.1, though it's hit a few different IPs
> of ours. It's an ANY query for isc.org with the EDNS option set to 4096.
>
> Looks like this:
>
> 23:55:09.105010 00:19:e2:2d:45:79 > 00:30:48:cb:86:f0, ethertype IPv4
> (0x0800), length 78: (tos 0x0, ttl 235, id 50959, offset 0, flags
> [none], proto: UDP (17), length: 64) 204.74.109.1.25345 >
> 204.74.103.145.53: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT
> UDPsize=4096 (36)
>
> We've captured over 3400 IPs involved in the attack. Full list can be
> found here. Not sure what if anything can be done.
>
> https://asn.cymru.com/nsp-sec/upload/1298951475.whois.txt
>
> Full list beneath my sig.
>
> Cheers,
> Nick
>
> - --
> Nicholas Ianelli: Neustar, Inc.
> Security Operations
(belated) ACK for AS12. Looks like this stopped around 11:30pm last
night from us, let me know if it kicks up again. We're working on
getting recursion disabled for these boxes.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney Project Lead
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the nsp-security
mailing list