Anyone else seeing massive amount of UDP/53 DNS queries since ~6pm last night ? - NZNOG - lists.nznog.org

newer
NZRR Route Registry Update

Anyone else seeing massive amount of UDP/53 DNS queries since ~6pm last night ?

older
NZRR Route Registry Update

Ian Batterbee

4 Nov 2010 4 Nov '10

2:04 a.m.

Looks like a new DDOS out there.. anyone else seeing it ?

Reply

Sign in to reply online Use email software

Show replies by date

Dobbins, Roland

4 Nov 4 Nov

2:41 a.m.

On Nov 5, 2010, at 3:04 AM, Ian Batterbee wrote:

Looks like a new DDOS out there.. anyone else seeing it ?

More classification details would be helpful in identifying the traffic in question, thanks! ----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Sell your computer and buy a guitar.

Reply

Sign in to reply online Use email software

Ian Batterbee

6:27 a.m.

Further to that, it looks like we're being hit by this http://foxpa.ws/2010/07/21/thwarting-the-isc-org-dns-ddos/ which is a very large number of clients all making ANY requests for isc.org. The problem is that a lot of the source addresses are within our network, suggesting that we either have a lot of infected customers, or they're spoofed and someone is targeting our customers with unsolicted dns responses. On 5 November 2010 09:04, Ian Batterbee wrote:

Looks like a new DDOS out there.. anyone else seeing it ?

Reply

Sign in to reply online Use email software

Dobbins, Roland

7:19 a.m.

On Nov 5, 2010, at 7:27 AM, Ian Batterbee wrote:

or they're spoofed and someone is targeting our customers with unsolicted dns responses.

If you've implemented BCP38/84 antispoofing mechanisms at the edges of your network via iACLs, uRPF, etc., folks outside your network shouldn't be able to send traffic spoofed with your IPs/your customers' IPs into your network from outside. ----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Sell your computer and buy a guitar.

Reply

Sign in to reply online Use email software

Sebastian Castro

7:21 a.m.

Ian Batterbee wrote:

Further to that, it looks like we're being hit by this

http://foxpa.ws/2010/07/21/thwarting-the-isc-org-dns-ddos/

which is a very large number of clients all making ANY requests for isc.org http://isc.org.

The problem is that a lot of the source addresses are within our network, suggesting that we either have a lot of infected customers, or they're spoofed and someone is targeting our customers with unsolicted dns responses.

Are you certain the traffic you saw match the pattern of the attack described in that blog post? The reason I think they are using is because isc.org is signed and the response is large (1436 bytes) if you query using EDNS0 set. If you or someone else you saw the attack has a sample, I'd love to get a hand on it and do some dissection. BTW, we didn't see any abnormal traffic in .nz nameservers cheers,

On 5 November 2010 09:04, Ian Batterbee mailto:ibatterb(a)gmail.com> wrote:

Looks like a new DDOS out there.. anyone else seeing it ?

------------------------------------------------------------------------

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535

Reply

Sign in to reply online Use email software

Dobbins, Roland

7:26 a.m.

On Nov 5, 2010, at 8:21 AM, Sebastian Castro wrote:

The reason I think they are using is because isc.org is signed and the response is large (1436 bytes) if you query using EDNS0 set.

I've seen more and more of this, making use of various DNSSEC servers/RRs, in the last few weeks. DNSSEC has made it much easier for folks launching amplification/reflection attacks to locate records which return large answers in response to small queries. ----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Sell your computer and buy a guitar.

Reply

Sign in to reply online Use email software

Hamish MacEwan

5 Nov 5 Nov

11:42 p.m.

On Fri, Nov 5, 2010 at 14:26, Dobbins, Roland wrote:

records which return large answers in response to small queries.

Amplification, why babies love rattles.

Roland Dobbins

Hamish. -- http://tr.im/HKM

Reply

Sign in to reply online Use email software

5160

Age (days ago)

5162

Last active (days ago)

Download

6 comments

4 participants

tags

participants (4)

Dobbins, Roland
Hamish MacEwan
Ian Batterbee
Sebastian Castro