[dns-operations] Botnets, botnets everywhere

Roland Dobbins rdobbins at arbor.net
Thu Sep 11 13:00:37 UTC 2014


On Sep 11, 2014, at 8:42 PM, Peter Andreev <andreev.peter at gmail.com> wrote:

> I'd like to ask the respected community, how do you detect and protect against such activity?

What we've seen of this particular attack methodology (as you rightly
deduced) over the last six months or so indicates that the placement
of the prefix is consistent, as is the size.

So, if you have the ability to perform regexp-type filtering on the
queries you receive on ingress, that's one possible answer
(unless/until the attack using/creating this particular attack script
changes things up).

FYI, most of these queries seem to be reflected through abusable CPE
devices which are misconfigured by default as open recursors or DNS
forwarders.  It may be worth considering investigating, and if this
proves to be the case, blacklisting those netblocks and contacting the
operator(s) in question in order to ask them to remediate the nodes in
question (this could all be scripted, along with a periodic check
which would remove the blacklisting once remediation occurs).

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>



More information about the dns-operations mailing list