[dns-operations] Abnormal activity fron chinanet?
Keith Mitchell
keith at isc.org
Fri Dec 2 17:51:36 UTC 2011
Experience with similar incidents in the past suggests it is probably
worth contacting the CNCERT folks about this, who will hopefully be able
to reach out to the ISP.
Keith
On 12/02/2011 12:05 PM, Chris Adams wrote:
> Once upon a time, Jason Bratton <jbratton at rackspace.com> said:
>> I'm happy to know we aren't the only ones seeing this then. We've had
>> the exact same traffic patterns since Monday, and they show no signs of
>> stopping.
>>
>> The IP addresses are either spoofed or they are going out multiple
>> providers simultaneously because we are seeing the traffic sourced from
>> the same IP addresses hit our US and UK anycast nodes simultaneously.
>> I'm leaning more towards spoofed IP addresses because the usage of ANY
>> queries sure seems like an attempt at an amplification attack.
>
> One thing I've noticed is that we see the requests between about 0400
> and 1900 UTC - it almost looks like somebody is doing this manually and
> takes a break to go to sleep.
More information about the dns-operations
mailing list