David Crane wrote: > This could be spoofed packets attempting to do DDoS amplification > against Facebook.
> Attackers will run this against 1000's of machines they've scanned as > being open resolvers and use them to amplify their ddos traffic. Lists of known open resolvers are certainly scanned for (by both researchers and bad guys) and maintained. Paul's IP address does not ever have to have been delegated to, or operated as, a resolver, it just needs to have been flagged up by such a scan as one at some point. > Most people don't need to run Open Recursive DNS, but there's a lot > of misconfigured boxes out thereā¦ In particular this includes certain CPE devices - some routers shipped with the internal stub resolver being open to the external as well as internal interface, and it not necessarily being easy or even possible to disable this. There's some useful pointers here: https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks Keith
