Possible DDoS?

Phil Mayers p.mayers at imperial.ac.uk
Wed Oct 17 22:59:11 UTC 2012


On 10/17/2012 07:39 PM, Dennis Clarke wrote:

> I have the exact same problem with an ip inside State of Colorado
> General Government Computer subnet :
>
> http://whois.arin.net/rest/org/SCGGC

That's not exactly a fly-by-night organisation; have you contacted them?

>
> Some server there has been pounding queries at me at a rate of
> 48,000+ a day :

Some packets are arriving with that source IP. Big difference.

It's possible (likely?) the sources are spoofed, and someone is inducing 
*you* to bombard that IP with replies (or trying to).

>
> Queries show up in bunches, while the average is every 1.7 secs I see
> dozens of queries all arrive nearly at the same time, then a ten
> second pause, then again another burst.
>
> Makes no sense to me what is going on there.

Attacker sends 1 million DNS queries of 100 bytes each, with a spoofed 
source. DNS server sends 1 million DNS replies of 1000 bytes each to the 
spoofed IP. 10x amplification, means the attacker can use lower-spec 
machines to overload a target.

Or something is just broken, and the source IPs are real - in which 
case, contact them.



More information about the bind-users mailing list