[dns-operations] annoying DDoS attack on ns0.rfc1035.com
Jim Reid
jim at rfc1035.com
Sun Jun 10 19:10:54 UTC 2012
On 10 Jun 2012, at 17:20, Jan Inge Sande wrote:
> I'm seeing the same attack as Jim Reid described on one of my
> nameservers too (just found the "source"/target address on Gmane and
> signed up for the mailinglist), at ~3Kqps/1.3Mbits at the moment (in
> Germany, AS24940). No UDP checksum, the source address is set to
> 37.221.160.125 and ANY queries for a zone that isn't and haven't
> been in use (no records apart from DNSSEC, SOA and NS). I haven't
> seen anything on the other authoritative servers.
Interesting. FWIW, RIPE NCC's whois says this address block is linked
to a different ASN from the one you found:
% Information related to '37.221.160.96 - 37.221.160.127'
inetnum: 37.221.160.96 - 37.221.160.127
netname: IxamHosting
descr: Shared/Reseller and VPS Hosting
country: RO
admin-c: MK12203-RIPE
tech-c: MK12203-RIPE
status: ASSIGNED PA
mnt-by: VOXILITY-MNT
mnt-routes: VOXILITY-MNT
mnt-lower: VOXILITY-MNT
remarks: INFRA-AW
source: RIPE # Filtered
person: Maximilian Kutzner
address: Hauptstrasse 31
address: 92361 Röckersbühl
phone: +49 1627297616
nic-hdl: MK12203-RIPE
mnt-by: VOXILITY-MNT
abuse-mailbox: abuse at ixam-hosting.com
source: RIPE # Filtered
% Information related to '37.221.160.0/21AS39743'
route: 37.221.160.0/21
descr: voxility.net
origin: AS39743
mnt-by: VOXILITY-MNT
source: RIPE # Filtered
More information about the dns-operations
mailing list