[dns-operations] DNS Amplification in numbers

Jart Armin jart at jartarmin.com
Fri Nov 9 16:41:40 UTC 2012


Thanks Lutz,

Very useful findings which mirror our ongoing analysis, partly
reported here http://www.pcadvisor.co.uk/news/security/3407302/open-dns-resolvers-increasingly-abused-amplify-ddos-attacks-report-says/

On 42 DDoS attacks recently measured, around 140,000 IPs resulted in
around 8% are potential reflection and amplification relays. What we
can say, 97% of the 11,189, essentially all were: open recursive
resolvers, misconfigured, older systems, and mostly running mobile
traffic.

What was interesting was the analysis of the attackers within the
study. The only ones really identified were RFI scanners / hackers in
a few cases, pounding away via multiple spoofed IPs, with very small
botnets.


On Fri, Nov 9, 2012 at 1:15 PM, Lutz Donnerhacke <lutz at iks-jena.de> wrote:
>
> About 7% of hosted servers are open relays causing between 20 to 80% of DNS
> traffic when misused by DNS reflection and amplification attacks.
>
> Which numbers do you see?
>
> http://lutz.donnerhacke.de/eng/Blog/DNS-Amplicfication-in-the-eyes-of-a-hosting-provider
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



--
Regards,
Jart Armin - CyberDefcon  HostExploit



More information about the dns-operations mailing list