nanog mailing list archives

Re: DNS Attacks

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 18 Jan 2012 00:34:19 -0500

On Wed, Jan 18, 2012 at 12:04 AM, toor <lists () 1337 mx> wrote:

Hi list,

I am wondering if anyone else has seen a large amount of DNS queries
coming from various IP ranges in China. I have been trying to find a


china is a big country....

pattern in the attacks but so far I have come up blank. I am completly
guessing these are possibly DNS amplification attacks but I am not
sure. Usually what I see is this:

- Attacks most commonly between the hours of 4AM-4PM UTC
- DNS queries appear to be for real domains that the DNS servers in
question are authoritive for (I can't really see any pattern there,
there are about 150,000 zones on the servers in question)

yup

- From a range of IP's there will be an attack for approximately 5-10
minutes before stopping and then a break of 30 minutes or so before
another attack from a different IP range


marka noted that the source is really the thing being attacked, that
seems to be the case in the incidents I've seen (and which I"ve seen
other folks also make note of, over the last ~2-3 months)

- Every IP range has been from China


yup, probably over .cn peer links? if you have them...

I have limited the number of queries that can be done to mitigate this
but its messing up my pretty netflow graphs due to the spikes in
flows/packets being sent.


yea... you can't really limit queries, unless you can react in almost
real-time to drop the queries on the floor before your servers see
them :( or capacity-plan for the spikes, which is... rough.


Does anyone have any ideas what the reasoning behind this could be? I
would also be interested to hear from anyone else experiencing this
too.


lots of folks are chattering privately about this, it's something in
china attacking chinese users.The BW and PPS rates involved are likely
quite high...

I can provide IP ranges from where I am seeing the issue but it does
vary a lot between the attacks with the only pattern every time being
the source address is located in China. I read a thread earlier,
http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
thing I am seeing.


it probably is... if you run decently large auth complexes with lots
of domains, welcome to the party.

-chris

Thanks

Current thread:

DNS Attacks toor (Jan 17)
- Re: DNS Attacks Mark Andrews (Jan 17)
- Re: DNS Attacks Christopher Morrow (Jan 17)
- Re: DNS Attacks Leigh Porter (Jan 17)
  - Re: DNS Attacks Dobbins, Roland (Jan 18)
  - Re: DNS Attacks Joel jaeggli (Jan 18)
  - Re: DNS Attacks Ken A (Jan 19)
- Re: DNS Attacks virendra rode (Jan 18)
  - RE: DNS Attacks Drew Weaver (Jan 18)
- <Possible follow-ups>
- Re: DNS Attacks Dennis (Jan 18)
  - RE: DNS Attacks Leigh Porter (Jan 18)
    - Re: DNS Attacks Nick Hilliard (Jan 18)
    - Re: DNS Attacks Christopher Morrow (Jan 18)

(Thread continues...)