On Wed, May 30, 2012 at 11:12 AM, kalpesh thaker <[email protected]> wrote: > according to tcpdump -vn, the connections were mostly TCP.. however there > were alot of repetitive incoming UDP packets coming in during the early > stages, for authoritative domains on our NS querying TXT RR's. This is why i > suspected amplification as being possible in this DOS attack. Immediately
Sorry for stating the obvious but often what looks like a DoS attack is just business as usual: if your subnet have a few trojanised spambots and you host your own revdns then mailservers may request revdns entries in cohorts, for example. Resolving TXT entries may be a collateral to look up abuse contacts en masse for example. Maybe not, but I've seen many DNS "DoS" which was a result of a couple of virus-ridden windoze systems on local subnets. As a sidenote I wondered what amount of traffic it was since pdns supposed to be able to handle quite an amount of requests per second and shouldn't choke easily. Peter _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
