[dns-operations] DNS ANY record queries - Reflection Attacks
klaus.mailinglists at pernau.at
Wed Sep 12 09:36:19 UTC 2012
On 12.09.2012 11:06, Simon Munton wrote:
> We've been seeing 1000's of ANY queries/sec for many months, but use RRL
> to filter them, so haven't been too bothered - mostly hitting our Tokyo
> But I can confirm we ARE getting the same pattern in the port & ID
> I'm thinking a rate limiter in iptables using -u32 should be possible.
> One thing we did notice was they use an impressively wide range of
> different domain names in their queries, leading us to wonder if it is
> just a simple reflection attack.
I also wondered if maybe it is just a legitimate user trying to "mirror"
the DNS. But todays most seen source on our DNS servers is 18.104.22.168
which is assinged to nexusguard.com which "protects E-Business from DDoS
attacks". This makes me believe that it is an amplification attack.
More information about the dns-operations