[dns-operations] blocking malicious dns traffic

bert hubert bert.hubert at netherlabs.nl
Fri Jul 4 07:12:06 UTC 2014

On Thu, Jul 03, 2014 at 10:19:30PM -0700, Kelsey Cummings wrote:
> We are seeing a pretty short list of domains used for this attack right now so I don't see any short term scaling issues.  Are other providers seeing a large number of domains used?

We see a short list of domains, rotating quickly (once an hour or so,
sometimes slower, sometimes faster).

Interestingly, from conversations with various service providers, we've
learned that even a semi-decent security/abuse program cleans up these
issues as it appears affected hosts are quite visible in their behaviour,
and get flagged before they hog the DNS server.

It is only service providers that do not have an abuse desk that works that
have this issue, since DNS is the first time they note they have customers
that send out malicious traffic.


More information about the dns-operations mailing list