Login | Register For Free | Help	Search this list this category for: (Advanced)

Mailing List Archive: NANOG: users DNS Attacks   Index | Next | Previous | View Flat

lists at 1337 Jan 17, 2012, 9:04 PM Views: 490 Permalink DNS Attacks Hi list, I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this: - Attacks most commonly between the hours of 4AM-4PM UTC - DNS queries appear to be for real domains that the DNS servers in question are authoritive for (I can't really see any pattern there, there are about 150,000 zones on the servers in question) - From a range of IP's there will be an attack for approximately 5-10 minutes before stopping and then a break of 30 minutes or so before another attack from a different IP range - Every IP range has been from China I have limited the number of queries that can be done to mitigate this but its messing up my pretty netflow graphs due to the spikes in flows/packets being sent. Does anyone have any ideas what the reasoning behind this could be? I would also be interested to hear from anyone else experiencing this too. I can provide IP ranges from where I am seeing the issue but it does vary a lot between the attacks with the only pattern every time being the source address is located in China. I read a thread earlier, http://seclists.org/nanog/2011/Nov/920, which sounds like the exact thing I am seeing. Thanks

Subject User Time DNS Attacks lists at 1337 Jan 17, 2012, 9:04 PM     Re: DNS Attacks marka at isc Jan 17, 2012, 9:15 PM     Re: DNS Attacks morrowc.lists at gmail Jan 17, 2012, 9:34 PM     Re: DNS Attacks leigh.porter at ukbroadband Jan 17, 2012, 11:45 PM     Re: DNS Attacks rdobbins at arbor Jan 18, 2012, 12:05 AM     Re: DNS Attacks joelja at bogus Jan 18, 2012, 12:35 AM     Re: DNS Attacks dennis at justipit Jan 18, 2012, 4:53 AM     Re: DNS Attacks virendra.rode at gmail Jan 18, 2012, 5:57 AM         RE: DNS Attacks drew.weaver at thenap Jan 18, 2012, 6:01 AM     RE: DNS Attacks leigh.porter at ukbroadband Jan 18, 2012, 6:18 AM     Re: DNS Attacks nick at foobar Jan 18, 2012, 7:05 AM         Re: DNS Attacks morrowc.lists at gmail Jan 18, 2012, 7:41 AM     Re: DNS Attacks smb at cs Jan 18, 2012, 8:34 AM     Re: DNS Attacks morrowc.lists at gmail Jan 18, 2012, 8:42 AM     Re: DNS Attacks cb.list6 at gmail Jan 18, 2012, 9:15 AM     RE: DNS Attacks drew.weaver at thenap Jan 18, 2012, 11:26 AM     Re: DNS Attacks ka at pacific Jan 19, 2012, 7:54 AM     Re: DNS Attacks hrlinneweh at sbcglobal Feb 18, 2012, 11:02 AM     Re: DNS Attacks Joel.Snyder at Opus1 Feb 18, 2012, 1:41 PM         Re: DNS Attacks bonomi at mail Feb 18, 2012, 2:29 PM             Re: DNS Attacks ken.gilmour at gmail Feb 19, 2012, 2:59 AM     Re: DNS Attacks patrick at ianai Feb 19, 2012, 3:59 AM         Re: DNS Attacks jeroen at unfix Feb 19, 2012, 4:02 AM             Re: DNS Attacks Valdis.Kletnieks at vt Feb 19, 2012, 6:23 AM     Re: DNS Attacks bonomi at mail Feb 19, 2012, 8:14 AM         Re: DNS Attacks ken.gilmour at gmail Feb 19, 2012, 11:45 PM     Re: DNS Attacks oscar.vives at gmail Feb 20, 2012, 7:38 AM     Re: DNS Attacks Valdis.Kletnieks at vt Feb 20, 2012, 9:00 AM         Re: DNS Attacks morrowc.lists at gmail Feb 20, 2012, 9:55 AM     Re: DNS Attacks morrowc.lists at gmail Feb 20, 2012, 9:57 AM     Re: DNS Attacks joelja at bogus Feb 20, 2012, 1:00 PM         Re: DNS Attacks morrowc.lists at gmail Feb 21, 2012, 2:05 PM     Re: DNS Attacks mysidia at gmail Feb 21, 2012, 2:29 PM     Re: DNS Attacks Valdis.Kletnieks at vt Feb 21, 2012, 3:15 PM         Re: DNS Attacks hrlinneweh at sbcglobal Feb 21, 2012, 6:17 PM

Index | Next | Previous | View Flat   NANOG     users

Interested in having your list archived? Contact Gossamer Threads
 

Web Applications & Managed Hosting Powered by Gossamer Threads Inc.