[dns-operations] Botnets, botnets everywhere

Richard Clayton richard at highwayman.com
Thu Sep 11 19:00:13 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <5411D5B6.8090801 at isc.org>, Cathy Almond <cathya at isc.org>
writes

>There's a lot of this about.

I agree ... and I have some extensive measurements of it

>We did awhile back wonder if it was botnet-related, but I've not (yet)
>seen any persuasive evidence that it is.

I agree with the view that it's an attack on the authoritative server
and I have been told that it's pretty effective at that!

Although the attack could be done with a botnet or by reflecting traffic
off end-user equipment, many of the attacks I have seen involve source
IP spoofing. I deduce this by noting that a fairly large percentage of
the traffic comes from blocks of IPs that are not currently routed on
the open Internet.

I wonder the extent to which the end-user equipment is being blamed when
it's just routed IPs which are being used.

It would be interesting to confirm my observation (or at least segment
the attacks into those where this is a tactic).

- -- 
Dr Richard Clayton                         <richard.clayton at cl.cam.ac.uk>
                                  tel: 01223 763570, mobile: 07887 794090
                    Computer Laboratory, University of Cambridge, CB3 0FD

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBVBHxPeINNVchEYfiEQKPRACg7yt9a9az8VQsiihd0cl2vgnOLnMAnini
FA9ZQDkDekigzaI5BaLP4MeQ
=Pj+P
-----END PGP SIGNATURE-----



More information about the dns-operations mailing list