Possible DDoS?

Chuck Swiger cswiger at mac.com
Wed Oct 17 18:31:22 UTC 2012


Hi--

On Oct 17, 2012, at 11:17 AM, Manson, John wrote:
> From time to time I notice a large number of queries like these to one of my external dns servers:
>  
> 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
> [ ... ]
> 14:14:40.98668 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
> 14:14:40.99417 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
>  
> Does this rise to the level of a DDoS attack?
> No NS record for this IP.
> I blackhole IPs that behave like this.

That sure looks to be a DNS-based DDoS.  Note that IP 121.10.105.66 is actually
the victim being attacked-- the attackers forge that address and make queries which
send lots of traffic to it.

Blackholing them on your side will mitigate against the DDoS, but also break any
legitimate traffic which they might send.  (They can always use public DNS servers
like 4.2.2.1 or 8.8.8.8 if they need to, though, so don't worry about legit
requests from them too much.)

Regards,
-- 
-Chuck




More information about the bind-users mailing list