[dns-operations] DDoS botnet behaviour

Jim Reid jim at rfc1035.com
Sun Jun 10 22:16:54 UTC 2012

On 10 Jun 2012, at 22:59, Kyle Creyts wrote:

> Someone mentioned that as soon as the spoofed client is blocked, that
> a new spoofed client is used... This behavior seems... strange.

I did and I was wrong.

My logs tended to have a few hundred entries at a time for the same  
(spoofed?) IP address. So as soon as I blackholed the last IP address  
in the log file, entries for another would be appended. At 4am and  
there's a caffeine deficit, this looks like a new client has  
immediately popped up to replace the one that's just been nuked. In  
fact, the "new" IP address was already there and its queries were lost  
amongst the noise of the other 100+ addresses that were firing crap at  
the name server.

More information about the dns-operations mailing list