[nsp-sec] FW: Backtracking .... Re: DNS Reflection DDoS
Janish, Nathan
Nathan.Janish at Level3.com
Thu Mar 3 10:50:33 EST 2011
Replied off-list.
Nathan
-----Original Message-----
From: King, Link [mailto:Link.King at neustar.com]
Sent: Thursday, March 03, 2011 6:28 AM
To: Barry Greene; Wentworth, Brett; Janish, Nathan
Cc: NSP-SEC List
Subject: Re: [nsp-sec] Backtracking .... Re: DNS Reflection DDoS
>Only one active at the moment:
>
>13:20:30.447908 IP (tos 0x0, ttl 240, id 6662, offset 0, flags [none],
>proto: UDP (17), length: 64) 78.159.108.25.25345 > 156.154.71.22.domain:
>[no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
>
>Unfortunately, these seem to change so you might want to IM me (AIM:
>kinger0003) and I can do some live data gathering.
FWIW, we are also seeing the same stuff coming across Global Crossing
(different DST on our side):
13:25:41.849475 IP (tos 0x0, ttl 238, id 62222, offset 0, flags [none],
proto: UDP (17), length: 64) 78.159.108.25.25345 > 156.154.70.22.domain:
[no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
--
Link King
link.king at neustar.com
More information about the nsp-security
mailing list