North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS requests from 209.67.50.203
On Tue, Jan 09, 2001 at 07:24:39PM -0500, Steven M. Bellovin wrote: > > In message <[email protected]>, John Kristoff writes: > > > >I'm surprised this hasn't come up in NANOG yet... > > > >On a university list many sites are reporting large amounts of traffic > >appearing to come from 209.67.50.203 to their DNS servers. The > >administrator of the source IP (spoofed of course) is the victim of a > >brutal DoS attack. The traffic is UDP/DNS queries that are appear to be > >going directly to available DNS servers (as opposed to random hosts). > >Most sites are reporting on the order of 6 or more packets per second to > >their DNS servers. The victim has apparently seen upwards of 90 Mb/s of > >traffic coming back in to them. Does anyone here have anymore > >information on this attack? > > Yes, it's a DDoS attack, of the type that Vern Paxson has dubbed > "refletor attacks". You send a forged DNS query to a DNS server; it > sends its reply to the victim. Then you have lots of hosts around the > net doing this, but banging on different DNS servers. A good way to reduce this is to turn off recursion for people not on your network for your dns server. This is fairly easy to do with bind8/bind9. - Jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home
|