[dns-operations] Abnormal activity fron chinanet?
Jason Bratton
jbratton at rackspace.com
Fri Dec 2 16:50:37 UTC 2011
I'm happy to know we aren't the only ones seeing this then. We've had
the exact same traffic patterns since Monday, and they show no signs of
stopping.
The IP addresses are either spoofed or they are going out multiple
providers simultaneously because we are seeing the traffic sourced from
the same IP addresses hit our US and UK anycast nodes simultaneously.
I'm leaning more towards spoofed IP addresses because the usage of ANY
queries sure seems like an attempt at an amplification attack.
-- Jason
Torsten Segner wrote:
> Am Fri, 2 Dec 2011 12:18:01 +0100
> schrieb "Roberto Navarro - TusProfesionales.es" <rnavarro at tusprofesionales.es>:
>
>> See attached image.
>>
>> Querys come frome chinanet, and when one IP is firewalled another one takes
>> his place.
>>
>> _________________
>> Regards,
>> Roberto Navarro Reyes
>> SysAdmin - Tusprofesionales, SL
>
>
> Same here... and it's always the same set of 176 domains they're asking for from different source ip's.
>
>
> Ciao
> Torsten
More information about the dns-operations
mailing list