[dns-operations] DNS ANY record queries - Reflection Attacks
Mohamed Lrhazi
ml623 at georgetown.edu
Tue Sep 11 05:30:05 UTC 2012
Can one generalize the mitigation given above to all query types or
all queries?
Am seeing peaks around 100,000 queries per hour, for several
consecutive hours at a time.
Thanks,
Mohamed.
On Tue, Sep 11, 2012 at 1:06 AM, Mohamed Lrhazi <ml623 at georgetown.edu> wrote:
> Just looked at my logs, and I am seeing the same thing, and we are
> georgetown.edu
>
> This is a report on last 24 hours, top clients, for ANY queries:
>
> client,count,percent
> "113.21.221.21",227099,"29.606419"
> "114.141.72.36",116118,"15.138060"
> "114.141.72.40",86072,"11.221026"
> "113.21.221.19",62376,"8.131828"
> "122.248.245.102",44656,"5.821709"
> "103.22.245.55",42315,"5.516518"
> "184.105.175.216",35967,"4.688942"
> "100.42.234.26",23495,"3.062994"
> "114.141.72.45",20165,"2.628869"
> "100.42.234.51",19243,"2.508669"
> "114.141.72.37",18303,"2.386124"
> "113.21.221.18",16093,"2.098011"
> "222.186.27.31",14600,"1.903371"
> "112.90.22.66",8586,"1.119339"
> "183.60.200.137",6135,"0.799807"
> "122.248.233.134",3046,"0.397101"
> "122.248.238.198",2929,"0.381848"
> "61.160.223.25",2383,"0.310667"
> "61.160.223.30",1963,"0.255912"
> "61.160.223.39",1355,"0.176649"
>
> Thanks,
> Mohamed.
> On Mon, Sep 10, 2012 at 11:52 PM, Robert Schwartz <smellyspice at gmail.com> wrote:
>> Hi All,
>>
>> We run a bunch of authoritative servers and have recently observed activity
>> best described in a post we found here:
>> https://isc.sans.edu/diary/DNS+ANY+Request+Cannon+-+Need+More+Packets/13261
>>
>> Using the iptables rules posted as a comment by Network Mouse (in the above
>> post), we've been able to reduce the amount of junk being sent to the target
>> host. Most of the target hosts seem to be in Asia, just like those mentioned
>> in the Sans post.
>>
>> The question I have for you all is: Is this something affecting other
>> operators? How have you been dealing with it?
>>
>> Thanks in advance for your feedback.
>>
>> -Rob
>>
>>
>>
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list