[dns-operations] annoying DDoS attack on ns0.rfc1035.com
Zuleger, Holger, Vodafone Germany
holger.zuleger at vodafone.com
Mon Jun 11 06:49:22 UTC 2012
> > What type of queries?
>
> ANY queries for ihren.org with no UDP checksum:
>
> shaun# tcpdump -vv -n port 53
> 09:32:30.139803 IP (tos 0x0, ttl 251, id 24876, offset 0, flags
> [none], proto UDP (17), length 66) 37.221.160.125.28832 >
> 93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT
> UDPsize=9000 (38)
> 09:32:30.139806 IP (tos 0x0, ttl 251, id 24877, offset 0, flags
> [none], proto UDP (17), length 66) 37.221.160.125.28832 >
> 93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT
> UDPsize=9000 (38)
> 09:32:30.139929 IP (tos 0x0, ttl 251, id 24878, offset 0, flags
> [none], proto UDP (17), length 66) 37.221.160.125.28832 >
> 93.186.33.42.53: [no cksum] 18554+ [1au] ANY? ihren.org. ar: . OPT
> UDPsize=9000 (38)
I see the same query against my private domain. It started roughly at
the 25. of May.
What is common is the UDPsize of 9000 and that both domains are signed.
Because of that the amplification factor is mutch higher.
What I don't understand is that the source adresses are mostly out
of dynamic address pools from broadband ISP around the world.
So the victims are residentinal users?
> I posted here to see if anyone else is experiencing this
> behaviour or
> can identify the root cause. DDoS attacks against "important" name
> servers are fairly common. Could the bad guys now be picking easier
> targets that may be more likely to fall over? And why pick on
> my name
> server which has never done anyone any harm?
I guess this is because of the higher amplification of signed zones.
There is a toolset which tries to find the highest amplification factor
by querying domains listed at SecSpider. I guess Johan was one of the
early DNSSEC adopters, as well as myself.
More information about the dns-operations
mailing list