[dns-operations] Interesting messages in our logs

Keith Mitchell keith at dns-oarc.net
Sun Nov 2 16:52:35 UTC 2014

If you didn't already check it out, you may find this presentation at
our last workshop adds some background:



On 11/02/2014 08:52 AM, Lyle Giese wrote:
> Just to flush out the details here, in case anyone is wondering.  We
> have a small number of domains that are DNSSEC signed, but those under
> attack are not signed.
> In the past two days, I am seeing RRL kicking in heavily for queries for
> host names or subdomains in the form:
> <variable>.example.com
> From IPv4 and IPv6 Google ip addresses.  At the same time, but I see a
> few of the 'no more TCP clients: quota reached' messages. Again, after
> the RRL limit kicking in, rolling over to TCP is expected.
> I am seeing the 'attack' first against one domain for a period of only a
> few(less than 5) minutes.  And then the next day, another flurry of
> activity against another domain lasting about 4 minutes.
> I am not sure what the goal is of the attackers yet.  But in bouncing
> the queries through Google does a pretty good job of hiding their
> identity from me.

More information about the dns-operations mailing list