North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS requests from 209.67.50.203
In message <[email protected]>, John Kristoff writes: > >I'm surprised this hasn't come up in NANOG yet... > >On a university list many sites are reporting large amounts of traffic >appearing to come from 209.67.50.203 to their DNS servers. The >administrator of the source IP (spoofed of course) is the victim of a >brutal DoS attack. The traffic is UDP/DNS queries that are appear to be >going directly to available DNS servers (as opposed to random hosts). >Most sites are reporting on the order of 6 or more packets per second to >their DNS servers. The victim has apparently seen upwards of 90 Mb/s of >traffic coming back in to them. Does anyone here have anymore >information on this attack? Yes, it's a DDoS attack, of the type that Vern Paxson has dubbed "refletor attacks". You send a forged DNS query to a DNS server; it sends its reply to the victim. Then you have lots of hosts around the net doing this, but banging on different DNS servers. --Steve Bellovin
|