It's alleged to be a DNS amplification attack, of which the US-CERT says at https://www.us-cert.gov/ncas/alerts/TA13-088A : "The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address. " The Spark DNS servers do not appear to be open, so the attack can only be coming from their own customers. Therefore, can someone comment on whether Spark has BCP38 in place, since ingress filtering is the main defence against such attacks? Regards Brian Carpenter On 07/09/2014 10:29, Juha Saarinen wrote:
Saw that TIFKAT suggests that customers manually change their DNS settings to sort out website access issues:
http://helpbusiness.spark.co.nz/app/answers/detail/a_id/3701/related/1
What actually happened? Seen suggestions that it was a DNS amplification DDoS that might have been related to Spark customers clicking on phishing messages that had them download some form of malware that compromised their computers.
Spark said:
http://www.spark.co.nz/help/servicealert/mobileservicealert/
“The root cause is likely to be a handful of customers on our network whose computers are affected by malware, generating high levels of traffic destined for overseas sites.”
Looks like it’s an ongoing issue too, as per the Spark service alerts.
Has anyone seen any more detail on the incident? If this isn’t super operational, please email me off-list.
Thanks
------------------------------------------------------------------------
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog