答复: Re: Possible DDoS?

Tony Xue xuezxbb at gmail.com
Wed Oct 17 23:12:43 UTC 2012


I used to get the same problem but that was everytime from three or four different source IP and they are all querying "ripe.net IN ANY" for around 10 queries per second.

I am pretty sure the sources were hacked because one of my another DNS server also become the source to attack and from the packet can see there're exactly the same type of attack.
-----Original Message-----
From: Phil Mayers <p.mayers at imperial.ac.uk>
Sender: bind-users-bounces+xuezxbb=gmail.com at lists.isc.orgDate: Wed, 17 Oct 2012 23:59:11 
To: <bind-users at lists.isc.org>
Subject: Re: Possible DDoS?

On 10/17/2012 07:39 PM, Dennis Clarke wrote:

> I have the exact same problem with an ip inside State of Colorado
> General Government Computer subnet :
>
> http://whois.arin.net/rest/org/SCGGC

That's not exactly a fly-by-night organisation; have you contacted them?

>
> Some server there has been pounding queries at me at a rate of
> 48,000+ a day :

Some packets are arriving with that source IP. Big difference.

It's possible (likely?) the sources are spoofed, and someone is inducing 
*you* to bombard that IP with replies (or trying to).

>
> Queries show up in bunches, while the average is every 1.7 secs I see
> dozens of queries all arrive nearly at the same time, then a ten
> second pause, then again another burst.
>
> Makes no sense to me what is going on there.

Attacker sends 1 million DNS queries of 100 bytes each, with a spoofed 
source. DNS server sends 1 million DNS replies of 1000 bytes each to the 
spoofed IP. 10x amplification, means the attacker can use lower-spec 
machines to overload a target.

Or something is just broken, and the source IPs are real - in which 
case, contact them.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list