[dns-operations] DDoS botnet behaviour
jim at rfc1035.com
Sun Jun 10 22:16:54 UTC 2012
On 10 Jun 2012, at 22:59, Kyle Creyts wrote:
> Someone mentioned that as soon as the spoofed client is blocked, that
> a new spoofed client is used... This behavior seems... strange.
I did and I was wrong.
My logs tended to have a few hundred entries at a time for the same
(spoofed?) IP address. So as soon as I blackholed the last IP address
in the log file, entries for another would be appended. At 4am and
there's a caffeine deficit, this looks like a new client has
immediately popped up to replace the one that's just been nuked. In
fact, the "new" IP address was already there and its queries were lost
amongst the noise of the other 100+ addresses that were firing crap at
the name server.
More information about the dns-operations