[dns-operations] annoying DDoS attack on ns0.rfc1035.com

Livingood, Jason Jason_Livingood at cable.comcast.com
Mon Jun 11 13:12:49 UTC 2012

Is it possible to determine the home gateway device (CPE) make and model
via SNMP? If they have open DNS proxies they probably have SNMP as well.

- Jason

On 6/11/12 3:24 AM, "sthaug at nethelp.no" <sthaug at nethelp.no> wrote:

>> I see the same query against my private domain. It started roughly at
>> the 25. of May.
>> What is common is the UDPsize of 9000 and that both domains are signed.
>> Because of that the amplification factor is mutch higher.
>> What I don't understand is that the source adresses are mostly out
>> of dynamic address pools from broadband ISP around the world.
>> So the victims are residentinal users?
>No, most likely the residential users have CPEs with DNS proxies which
>are open to queries from the WAN side. Thus the attack is typically:
>spoofed source -> CPE -> name server -> CPE -> DoS of spooofed source
>Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>dns-jobs mailing list

More information about the dns-operations mailing list