nanog mailing list archives
RE: DNS Attacks
From: Leigh Porter <leigh.porter () ukbroadband com>
Date: Wed, 18 Jan 2012 14:18:32 +0000
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-) -- Leigh Porter
-----Original Message----- From: Dennis [mailto:dennis () justipit com] Sent: 18 January 2012 12:55 To: Leigh Porter; toor Cc: nanog () nanog org Subject: Re: DNS Attacks I agree with Roland on the firewall placement. I add that the attack would have likely succeeded to exhaust the servers. There is alot of recent ddos activity on DNS with what looks like legitimate queries. You should also look at some DOS/ application level protections; Radware and Arbor top the list. Leigh Porter <leigh.porter () ukbroadband com> wrote:On 18 Jan 2012, at 05:06, "toor" <lists () 1337 mx> wrote:Hi list, I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I amcompletlyguessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:At various seemingly random times over the past week I have had a DNSwhich is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).It did originate from Chinese address space and consisted of DNSqueries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.-- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloudservice.For more information please visit http://www.symanteccloud.com ____________________________________________________________________________________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Current thread:
- DNS Attacks toor (Jan 17)
- Re: DNS Attacks Mark Andrews (Jan 17)
- Re: DNS Attacks Christopher Morrow (Jan 17)
- Re: DNS Attacks Leigh Porter (Jan 17)
- Re: DNS Attacks Dobbins, Roland (Jan 18)
- Re: DNS Attacks Joel jaeggli (Jan 18)
- Re: DNS Attacks Ken A (Jan 19)
- Re: DNS Attacks virendra rode (Jan 18)
- RE: DNS Attacks Drew Weaver (Jan 18)
- <Possible follow-ups>
- Re: DNS Attacks Dennis (Jan 18)
- RE: DNS Attacks Leigh Porter (Jan 18)
- Re: DNS Attacks Nick Hilliard (Jan 18)
- Re: DNS Attacks Christopher Morrow (Jan 18)
- Re: DNS Attacks Steven Bellovin (Jan 18)
- Re: DNS Attacks Christopher Morrow (Jan 18)
- Re: DNS Attacks Cameron Byrne (Jan 18)
- RE: DNS Attacks Drew Weaver (Jan 18)
- RE: DNS Attacks Leigh Porter (Jan 18)