[nsp-sec] 12-15 Gbps DNS Amplification attack against 31.222.133.87/32
Tom Sands
tsands at rackspace.com
Tue Apr 30 09:40:11 EDT 2013
Just an update on this for more detail.
The captures that have been done so far indicated the following.
The source of the DNS queries are being spoofed as 31.222.133.87/32 (of
course)
Both the src and dst ports are 53 (rather than high source)
All captures done so far show each target (amplifier) getting the same
DNS query ID (not incrementing)
All captures done so far show the domain being looked up as Arin.net
Tom Sands
Director of Networking
Rackspace Hosting
(210)312-4391
On 4/29/13 1:42 PM, Tom Sands wrote:
> ----------- nsp-security Confidential --------
>
>
>
> We've had this attack ongoing for about 5 days now and looking for
> some assistance.
>
> Thank you,
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list