[dns-operations] maybe a small tcp flood
Randy Bush
randy at psg.com
Tue Jun 22 22:56:16 UTC 2021
>> tcp query flood for cctlds and sec.cctlds, could be others
>> being sent via popular open servers: goog, neustar, ...
>> O(100)qps or higher
>
> - What was the duration of the event (UTC time start and end)?
after a short break, it is ongoing
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns-dos.jpg
Type: image/jpeg
Size: 41003 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210622/0490021d/attachment.jpg>
-------------- next part --------------
> - Any stats on the rtype(s)?
> - Any stats on the mix of qnames?
> * Repeated or distinct?
> * Extant, NODATA or NXDOMAIN?
i am just running dnstop from cli. admit to need to spend time on
better tooling. but hard to justify without some feeling that i would
be able to configure a significant defense given new data. i have a
many decade history of just waiting for net idiots to go away.
> - Any stats on the upstream client distribution?
big dns resolvers: goog, yandex, ... though today, it seems pretty
distributed
Sources Count % cum%
-------------------- --------- ------ ------
184.80.47.40 31158 0.5 0.5
212.16.184.205 22261 0.3 0.8
112.198.115.36 18408 0.3 1.1
2001:fd8:220::4 17941 0.3 1.4
123.176.0.20 16481 0.2 1.6
212.77.192.101 14925 0.2 1.8
78.100.2.13 14913 0.2 2.1
59.18.54.69 14632 0.2 2.3
...
> To elicit TCP requests from the public DNS providers the queries would
> likely have to first elicit truncated UDP replies (DNSKEY RRset, signed
> denial of existence, ...). Did you also observe the associated UDP
> traffic?
have not had the time to look.
randy
More information about the dns-operations
mailing list