[dns-operations] maybe a small tcp flood

Randy Bush randy at psg.com
Tue Jun 22 22:56:16 UTC 2021


>> tcp query flood for cctlds and sec.cctlds, could be others
>> being sent via popular open servers: goog, neustar, ...
>> O(100)qps or higher
> 
> - What was the duration of the event (UTC time start and end)?

after a short break, it is ongoing

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns-dos.jpg
Type: image/jpeg
Size: 41003 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210622/0490021d/attachment.jpg>
-------------- next part --------------

> - Any stats on the rtype(s)?


> - Any stats on the mix of qnames?
>     * Repeated or distinct?
>     * Extant, NODATA or NXDOMAIN?

i am just running dnstop from cli.  admit to need to spend time on
better tooling.  but hard to justify without some feeling that i would
be able to configure a significant defense given new data.  i have a
many decade history of just waiting for net idiots to go away.

> - Any stats on the upstream client distribution?

big dns resolvers: goog, yandex, ...  though today, it seems pretty
distributed

Sources                  Count      %   cum%
-------------------- --------- ------ ------
184.80.47.40             31158    0.5    0.5
212.16.184.205           22261    0.3    0.8
112.198.115.36           18408    0.3    1.1
2001:fd8:220::4          17941    0.3    1.4
123.176.0.20             16481    0.2    1.6
212.77.192.101           14925    0.2    1.8
78.100.2.13              14913    0.2    2.1
59.18.54.69              14632    0.2    2.3
...

> To elicit TCP requests from the public DNS providers the queries would
> likely have to first elicit truncated UDP replies (DNSKEY RRset, signed
> denial of existence, ...).  Did you also observe the associated UDP
> traffic?

have not had the time to look.

randy


More information about the dns-operations mailing list