We've been seeing an increasing number of reflected and amplified DNS attacks over the last year, some more sophisticated than what you've described.
If the systems behind that port don't need to receive DNS traffic from everywhere then I suggest blocking the DNS responses as far as is possible. You can frequently get away with blocking just the handful of nameservers involved but if the attackers have some clue they'll be cycling them often and including authoritative servers for popular services. Regards, James ________________________________________ From: [email protected] [[email protected]] on behalf of Cliff Stanford [[email protected]] Sent: 31 January 2013 11:32 To: [email protected] Subject: [uknof] DNS DDoS Just before 09:00 this morning we saw a 100 Mbps port saturated. Upon investigation the traffic appears to be DNS responses to requests that were never made. Over the following 5 minutes, we saw over 600,000 UDP DNS responses originating from 20 different DNS servers. The servers all seem to be genuine, authoritative servers. They were all targeted at a single server our side and the destination ports on the targeted system included nearly pretty much the whole range. Is this a known DDoS attack, it's a new one on me? Any suggestions on how to deal it? Regards, Cliff. -- Cliff Stanford Might Limited +44 20 0222 1666 (Office) Wren Hall 152a High St +44 7973 616 666 (Mobile) Ongar, CM5 9JJ Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
