[nsp-sec] DDOS against spamhaus.org nameservers - ANY attack
Nick Ianelli
ni at allyourinfoarebelongto.us
Tue Sep 11 13:44:32 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sending the below with the permission from Carel at Spamhaus
(carel at spamhaus.org). If folks can assist, that would be greatly
appreciated. Feel free to contact him directly.
We're seeing a big DDOS targetting our main nameservers at the moment.
Several operators have reported 8-9 gbit/sec per nameserver, which
puts the total confirmed traffic at 50+ gbit/sec. Targets are:
ns8.spamhaus.org - 82.94.216.239 - Confirmed
ns3.xs4all.nl - 194.109.9.101 - Confirmed
fi503-hfj.surfnet.nl - 145.97.20.167 - Confirmed
ns20.ja.net - 194.82.174.6 - Unconfirmed
ns3.spamhaus.org - 192.150.94.200 - Confirmed
fi503-nij.surfnet.nl - 195.169.124.73 - Confirmed
ns.dns-oarc.net - 149.20.58.65 - Unconfirmed
(Confirmed = Confirmed by network operator)
It's the ANY ripe.net attack again. Sample packet:
16:39:51.731319 IP (tos 0x0, ttl 56, id 49128, offset 0, flags [+],
proto UDP (17), length 1500) 94.76.192.203.53 >
192.150.94.200.53: 952 q: ANY? ripe.net. 21/6/5 ripe.net. RRSIG,
ripe.net. RRSIG, ripe.net. RRSIG, ripe.net. RRSIG, ripe.net. RRSIG,
ripe.net. NSEC,
ripe.net. DNSKEY, ripe.net. DNSKEY, ripe.net. DNSKEY[|domain]
Seeing about 24K unique reflector IP addresses on one nameserver.
Cheers,
Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlBPeIAACgkQi10dJIBjZIDYpACaAtbgz3e4OghN8BEXrLNj9UIM
9wQAniN6Ydfy+YFs0hNA8FAVFBYVg6vs
=PVIB
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list