[dns-operations] DNS ANY record queries - Reflection Attacks

Klaus Darilion klaus.mailinglists at pernau.at
Wed Sep 12 09:36:19 UTC 2012

On 12.09.2012 11:06, Simon Munton wrote:
> We've been seeing 1000's of ANY queries/sec for many months, but use RRL
> to filter them, so haven't been too bothered - mostly hitting our Tokyo
> node.
> http://stats.cdns.net/public/
> But I can confirm we ARE getting the same pattern in the port & ID
> I'm thinking a rate limiter in iptables using -u32 should be possible.
> One thing we did notice was they use an impressively wide range of
> different domain names in their queries, leading us to wonder if it is
> just a simple reflection attack.

I also wondered if maybe it is just a legitimate user trying to "mirror" 
the DNS. But todays most seen source on our DNS servers is 
which is assinged to nexusguard.com which "protects E-Business from DDoS 
attacks". This makes me believe that it is an amplification attack.


More information about the dns-operations mailing list