[dns-operations] DNS ANY record queries - Reflection Attacks
Mohamed Lrhazi
ml623 at georgetown.edu
Tue Sep 11 05:06:09 UTC 2012
Just looked at my logs, and I am seeing the same thing, and we are
georgetown.edu
This is a report on last 24 hours, top clients, for ANY queries:
client,count,percent
"113.21.221.21",227099,"29.606419"
"114.141.72.36",116118,"15.138060"
"114.141.72.40",86072,"11.221026"
"113.21.221.19",62376,"8.131828"
"122.248.245.102",44656,"5.821709"
"103.22.245.55",42315,"5.516518"
"184.105.175.216",35967,"4.688942"
"100.42.234.26",23495,"3.062994"
"114.141.72.45",20165,"2.628869"
"100.42.234.51",19243,"2.508669"
"114.141.72.37",18303,"2.386124"
"113.21.221.18",16093,"2.098011"
"222.186.27.31",14600,"1.903371"
"112.90.22.66",8586,"1.119339"
"183.60.200.137",6135,"0.799807"
"122.248.233.134",3046,"0.397101"
"122.248.238.198",2929,"0.381848"
"61.160.223.25",2383,"0.310667"
"61.160.223.30",1963,"0.255912"
"61.160.223.39",1355,"0.176649"
Thanks,
Mohamed.
On Mon, Sep 10, 2012 at 11:52 PM, Robert Schwartz <smellyspice at gmail.com> wrote:
> Hi All,
>
> We run a bunch of authoritative servers and have recently observed activity
> best described in a post we found here:
> https://isc.sans.edu/diary/DNS+ANY+Request+Cannon+-+Need+More+Packets/13261
>
> Using the iptables rules posted as a comment by Network Mouse (in the above
> post), we've been able to reduce the amount of junk being sent to the target
> host. Most of the target hosts seem to be in Asia, just like those mentioned
> in the Sans post.
>
> The question I have for you all is: Is this something affecting other
> operators? How have you been dealing with it?
>
> Thanks in advance for your feedback.
>
> -Rob
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list