[nsp-sec] Backtracking .... Re: DNS Reflection DDoS
Barry Greene
bgreene at senki.org
Wed Mar 2 19:49:57 EST 2011
Hi Brett and Nathan,
Are you running Netflow in your network so we can back trace the exits for these flows? These are all headed downstream to Neustar.
Thanks,
Barry
>
> I can provide data on this hitting our recursives. Example of something
> that is going on right now:
>
> 20:23:14.640169 IP (tos 0x0, ttl 240, id 34051, offset 0, flags [none],
> proto: UDP (17), length: 64) 78.159.11.189.25345 > 156.154.71.22.domain:
> [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
> 20:23:14.640209 IP (tos 0x0, ttl 240, id 19201, offset 0, flags [none],
> proto: UDP (17), length: 64) 210.1.60.93.25345 > 156.154.71.22.domain: [no
> cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
> 20:23:14.642170 IP (tos 0x0, ttl 240, id 62731, offset 0, flags [none],
> proto: UDP (17), length: 64) 78.159.11.189.25345 > 156.154.71.22.domain:
> [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
> 20:23:14.646020 IP (tos 0x0, ttl 240, id 62482, offset 0, flags [none],
> proto: UDP (17), length: 64) 210.1.60.93.25345 > 156.154.71.22.domain: [no
> cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
> 20:23:14.652780 IP (tos 0x0, ttl 240, id 36118, offset 0, flags [none],
> proto: UDP (17), length: 64) 78.159.11.189.25345 > 156.154.71.22.domain:
> [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
>
More information about the nsp-security
mailing list