[dns-operations] DDoS / Feb 6th
Ian Meikle
ian.meikle at nominet.org.uk
Thu Feb 8 11:36:55 UTC 2007
[Copy of my email to the centr-tech list repeated inline]
dns-operations-bounces at lists.oarci.net wrote on 08/02/2007 10:48:27:
> Short survey... who has been attacked on Feb. 6th?
>
> I know about:
> -G, L root
> -UK
> -PL (a-dns.pl)
>
>From a trawl through DNSMON (dnsmon.ripe.net) I suspect the following
servers of being swamped by these DDoS attacks:
com: k.gtld-servers.net
e164.arpa: e164-arpa.cnnic.net.cn
lu: [a-d].dns.lu
net: k.gtld-servers.net
no: njet.norid.no, not.norid.no
org: TLD1.ULTRADNS.NET, TLD2.ULTRADNS.NET, tld3.ultradns.org,
tld4.ultradns.org, tld5.ultradns.info, tld6.ultradns.co.uk.
root: g.root-servers.net, l.root-servers.net
uk: ns[a-d].nic.uk
Some other servers show evidence of DDoS. There is clear indication that
f.root-servers.net was attacked, but it only affected some instances, for
example.
The last four are our Ultradns hosted servers, the same is true for org
and lu. I can't be sure but I suspect the others to be geographically
close to a targeted server. Is this true of the no servers?
My guess is that (some) root servers and one of the UltraDNS TLDs were the
target. As we only saw DDoS on our UltraDNS servers I doubt it was us, and
not all of org was hit. Maybe info?
Regards,
Ian
More information about the dns-operations
mailing list