[dns-operations] DDoS / Feb 6th

Ian Meikle ian.meikle at nominet.org.uk
Thu Feb 8 11:36:55 UTC 2007

[Copy of my email to the centr-tech list repeated inline]

dns-operations-bounces at lists.oarci.net wrote on 08/02/2007 10:48:27:

> Short survey... who has been attacked on Feb. 6th?
> I know about:
> -G, L root
> -UK
> -PL (a-dns.pl)
>From a trawl through DNSMON (dnsmon.ripe.net) I suspect the following 
servers of being swamped by these DDoS attacks:

com:            k.gtld-servers.net
e164.arpa:      e164-arpa.cnnic.net.cn
lu:             [a-d].dns.lu
net:            k.gtld-servers.net
no:             njet.norid.no, not.norid.no
org:            TLD1.ULTRADNS.NET, TLD2.ULTRADNS.NET, tld3.ultradns.org, 
tld4.ultradns.org, tld5.ultradns.info, tld6.ultradns.co.uk.
root:   g.root-servers.net, l.root-servers.net
uk:             ns[a-d].nic.uk

Some other servers show evidence of DDoS. There is clear indication that 
f.root-servers.net was attacked, but it only affected some instances, for 

The last four are our Ultradns hosted servers, the same is true for org 
and lu. I can't be sure but I suspect the others to be geographically 
close to a targeted server. Is this true of the no servers?

My guess is that (some) root servers and one of the UltraDNS TLDs were the 

target. As we only saw DDoS on our UltraDNS servers I doubt it was us, and 

not all of org was hit. Maybe info?



More information about the dns-operations mailing list