[nsp-sec] AS5430 under attack -- assistance needed
sthaug at nethelp.no
sthaug at nethelp.no
Thu Jul 19 14:27:18 EDT 2012
> > Your message was somewhat low on detail - but anyway, from my vantage
> > point in AS 2116 I saw a couple of cases of spoofed source DNS-based
> > amplification attacks today, against UDP/53 on these hosts (times in
> > UTC+2):
> >
> > 194.97.15.21 14:17 - 14:54
> > 62.104.23.36 18:20 - 18:39
> >
> > We have blackholed the attack traffic towards these two hosts at the
> > AS 2116 border after discovering it.
>
> That's exactly what we have been seeing, thank you for blocking!
>
> Is there anything I can do against such attacks from inside my
> network, which I'm not aware of?
Spoofed source DNS-based amplification attacks are all the rage at the
moment, presumably because they give a lot of "bang for the buck", with
amplification factors in the 10 to 100 range.
Since they are based on spoofed sources (the IP addresses of the victim
hosts in your AS), you either need to block the attack traffic on your
borders, or get the upstream providers to block it. I recommend opening
tickets with your upstream providers ASAP.
Steinar Haug, AS 2116
More information about the nsp-security
mailing list