Possible DDoS?
Phil Mayers
p.mayers at imperial.ac.uk
Wed Oct 17 22:59:11 UTC 2012
On 10/17/2012 07:39 PM, Dennis Clarke wrote:
> I have the exact same problem with an ip inside State of Colorado
> General Government Computer subnet :
>
> http://whois.arin.net/rest/org/SCGGC
That's not exactly a fly-by-night organisation; have you contacted them?
>
> Some server there has been pounding queries at me at a rate of
> 48,000+ a day :
Some packets are arriving with that source IP. Big difference.
It's possible (likely?) the sources are spoofed, and someone is inducing
*you* to bombard that IP with replies (or trying to).
>
> Queries show up in bunches, while the average is every 1.7 secs I see
> dozens of queries all arrive nearly at the same time, then a ten
> second pause, then again another burst.
>
> Makes no sense to me what is going on there.
Attacker sends 1 million DNS queries of 100 bytes each, with a spoofed
source. DNS server sends 1 million DNS replies of 1000 bytes each to the
spoofed IP. 10x amplification, means the attacker can use lower-spec
machines to overload a target.
Or something is just broken, and the source IPs are real - in which
case, contact them.
More information about the bind-users
mailing list