We've been seeing 1000's of ANY queries/sec for many months, but use RRL
to filter them, so haven't been too bothered - mostly hitting our Tokyo
node.
http://stats.cdns.net/public/0.0.0.1/D4AE52-BBA337.html
But I can confirm we ARE getting the same pattern in the port & ID
I'm thinking a rate limiter in iptables using -u32 should be possible.
One thing we did notice was they use an impressively wide range of
different domain names in their queries, leading us to wonder if it is
just a simple reflection attack.
On 11/09/2012 16:09, Robert Schwartz wrote:
The other interesting thing I noticed about the attack packets, is that
the source port and transaction ID are transposed. This could be used to
finger print the abusive packets. Here's a few lines from our TinyDNS
log (domain names removed and time-codes converted to a reader friendly
format):
2012-09-11 04:19:56.006172500 7115dd15:1ca3:a31c + 00ff
2012-09-11 04:19:56.010172500 7115dd15:b571:71b5 + 00ff
2012-09-11 04:19:56.014172500 7115dd15:9cd1:d19c + 00ff
2012-09-11 04:19:56.026172500 7115dd15:538a:8a53 + 00ff
2012-09-11 04:19:56.026172500 7115dd15:6fa5:a56f + 00ff
2012-09-11 04:19:56.042173500 7115dd15:40ac:ac40 + 00ff
2012-09-11 04:19:56.066173500 7115dd15:6fa5:a56f + 00ff
2012-09-11 04:19:56.066173500 7115dd15:6e38:386e + 00ff
2012-09-11 04:19:56.074173500 7115dd15:9729:2997 + 00ff
2012-09-11 04:19:56.082173500 7115dd15:c6df:dfc6 + 00ff
The three sets of hex separated by colons represent Source IP:Source
Port:Transaction ID (tinydns log file format is explained here:
http://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html
<http://www.dqd.com/%7Emayoff/notes/djbdns/tinydns-log.html> )
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
