[dns-operations] Fwd: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack

[David C Lawrence]

Damian Menscher writes:
> I'm curious if anyone knows the significance of that 7-byte string?  They
> say it's common to all attack traffic, whether the query or the response,
> so that suggests it's the qname.  But it doesn't look like a valid qname
> to me, so open resolvers wouldn't respond to it with any amplification.
>  What am I missing?

The original report is quite unclear on where the string occurs in the
packet.  It could just be a common prefix for domain names for which
the responding resolvers would provide large negative answers.