[dns-operations] Interesting messages in our logs
Keith Mitchell
keith at dns-oarc.net
Sun Nov 2 16:52:35 UTC 2014
If you didn't already check it out, you may find this presentation at
our last workshop adds some background:
https://indico.dns-oarc.net//contributionDisplay.py?contribId=37&sessionId=3&confId=20
Keith
On 11/02/2014 08:52 AM, Lyle Giese wrote:
> Just to flush out the details here, in case anyone is wondering. We
> have a small number of domains that are DNSSEC signed, but those under
> attack are not signed.
>
> In the past two days, I am seeing RRL kicking in heavily for queries for
> host names or subdomains in the form:
>
> <variable>.example.com
>
> From IPv4 and IPv6 Google ip addresses. At the same time, but I see a
> few of the 'no more TCP clients: quota reached' messages. Again, after
> the RRL limit kicking in, rolling over to TCP is expected.
>
> I am seeing the 'attack' first against one domain for a period of only a
> few(less than 5) minutes. And then the next day, another flurry of
> activity against another domain lasting about 4 minutes.
>
> I am not sure what the goal is of the attackers yet. But in bouncing
> the queries through Google does a pretty good job of hiding their
> identity from me.
More information about the dns-operations
mailing list