[dns-operations] Abnormal activity fron chinanet?
Chris Adams
cmadams at hiwaay.net
Fri Dec 2 17:05:26 UTC 2011
Once upon a time, Jason Bratton <jbratton at rackspace.com> said:
> I'm happy to know we aren't the only ones seeing this then. We've had
> the exact same traffic patterns since Monday, and they show no signs of
> stopping.
>
> The IP addresses are either spoofed or they are going out multiple
> providers simultaneously because we are seeing the traffic sourced from
> the same IP addresses hit our US and UK anycast nodes simultaneously.
> I'm leaning more towards spoofed IP addresses because the usage of ANY
> queries sure seems like an attempt at an amplification attack.
One thing I've noticed is that we see the requests between about 0400
and 1900 UTC - it almost looks like somebody is doing this manually and
takes a break to go to sleep.
FYI: here's a pcap filter that will match only UDP DNS ANY queries:
udp and dst port 53 and udp[10]&0xf8=0 and udp[12:4]=65536 and udp[16:4]=0 and udp[udp[4:2]-3]=255
It only works for IPv4 (that's a pcap limitation).
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the dns-operations
mailing list