[dns-operations] DNS ANY record queries - Reflection Attacks
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Sep 12 09:36:19 UTC 2012
On 12.09.2012 11:06, Simon Munton wrote:
> We've been seeing 1000's of ANY queries/sec for many months, but use RRL
> to filter them, so haven't been too bothered - mostly hitting our Tokyo
> node.
>
> http://stats.cdns.net/public/0.0.0.1/D4AE52-BBA337.html
>
> But I can confirm we ARE getting the same pattern in the port & ID
>
> I'm thinking a rate limiter in iptables using -u32 should be possible.
>
>
> One thing we did notice was they use an impressively wide range of
> different domain names in their queries, leading us to wonder if it is
> just a simple reflection attack.
I also wondered if maybe it is just a legitimate user trying to "mirror"
the DNS. But todays most seen source on our DNS servers is 113.21.221.21
which is assinged to nexusguard.com which "protects E-Business from DDoS
attacks". This makes me believe that it is an amplification attack.
regards
Klaus
More information about the dns-operations
mailing list