[dns-operations] annoying DDoS attack on ns0.rfc1035.com

Jim Reid jim at rfc1035.com
Sun Jun 10 19:10:54 UTC 2012


On 10 Jun 2012, at 17:20, Jan Inge Sande wrote:

> I'm seeing the same attack as Jim Reid described on one of my  
> nameservers too (just found the "source"/target address on Gmane and  
> signed up for the mailinglist), at ~3Kqps/1.3Mbits at the moment (in  
> Germany, AS24940). No UDP checksum, the source address is set to  
> 37.221.160.125 and ANY queries for a zone that isn't and haven't  
> been in use (no records apart from DNSSEC, SOA and NS). I haven't  
> seen anything on the other authoritative servers.

Interesting. FWIW, RIPE NCC's whois says this address block is linked  
to a different ASN from the one you found:

% Information related to '37.221.160.96 - 37.221.160.127'

inetnum:         37.221.160.96 - 37.221.160.127
netname:         IxamHosting
descr:           Shared/Reseller and VPS Hosting
country:         RO
admin-c:         MK12203-RIPE
tech-c:          MK12203-RIPE
status:          ASSIGNED PA
mnt-by:          VOXILITY-MNT
mnt-routes:      VOXILITY-MNT
mnt-lower:       VOXILITY-MNT
remarks:         INFRA-AW
source:          RIPE # Filtered

person:          Maximilian Kutzner
address:         Hauptstrasse 31
address:         92361 Röckersbühl
phone:           +49 1627297616
nic-hdl:         MK12203-RIPE
mnt-by:          VOXILITY-MNT
abuse-mailbox:   abuse at ixam-hosting.com
source:          RIPE # Filtered

% Information related to '37.221.160.0/21AS39743'

route:           37.221.160.0/21
descr:           voxility.net
origin:          AS39743
mnt-by:          VOXILITY-MNT
source:          RIPE # Filtered





More information about the dns-operations mailing list