[dns-operations] DDoS attack data collection

Steve Bertrand steve at ibctech.ca
Wed Jan 28 03:01:16 UTC 2009

Duane Wessels wrote:
> OARC is cooardinating collection of data that could help security
> researchers better understand this attack.  If you are willing to
> help out by sending us some packet captures, please consider running
> the shell script found on our web page:  https://www.dns-oarc.net/node/171

I see this traffic pattern to IP addresses of machines that have not
been active DNS-wise for months, if not years. I also have single-homed
clients that have DNS servers, who are iffy-at-best to get a hold of at
times, so I can't run the script on all DNS servers under my control.

Being a very small ISP, with only two Internet connections, would it be
helpful if I ran this on my border routers/ids's for all traffic ingress
to my entire /21?

For approximately 60 seconds I did let it run on one of my border
routers (FBSD running Quagga), and it sent six pcaps.

Is this advisable/helpful?


More information about the dns-operations mailing list