[dns-operations] annoying DDoS attack on ns0.rfc1035.com
sthaug at nethelp.no
sthaug at nethelp.no
Mon Jun 11 07:24:17 UTC 2012
> I see the same query against my private domain. It started roughly at
> the 25. of May.
> What is common is the UDPsize of 9000 and that both domains are signed.
> Because of that the amplification factor is mutch higher.
>
> What I don't understand is that the source adresses are mostly out
> of dynamic address pools from broadband ISP around the world.
> So the victims are residentinal users?
No, most likely the residential users have CPEs with DNS proxies which
are open to queries from the WAN side. Thus the attack is typically:
spoofed source -> CPE -> name server -> CPE -> DoS of spooofed source
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the dns-operations
mailing list