On 31 Jan 2013, at 11:47, James Davis <[email protected]> wrote: > We've been seeing an increasing number of reflected and amplified DNS attacks > over the last year, some more sophisticated than what you've described. > > If the systems behind that port don't need to receive DNS traffic from > everywhere then I suggest blocking the DNS responses as far as is possible. > You can frequently get away with blocking just the handful of nameservers > involved but if the attackers have some clue they'll be cycling them often > and including authoritative servers for popular services. > > Regards, > > James > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Cliff Stanford [[email protected]] > Sent: 31 January 2013 11:32 > To: [email protected] > Subject: [uknof] DNS DDoS > > Just before 09:00 this morning we saw a 100 Mbps port saturated. Upon > investigation the traffic appears to be DNS responses to requests that > were never made. > > Over the following 5 minutes, we saw over 600,000 UDP DNS responses > originating from 20 different DNS servers. The servers all seem to be > genuine, authoritative servers. > > They were all targeted at a single server our side and the destination > ports on the targeted system included nearly pretty much the whole range. > > Is this a known DDoS attack, it's a new one on me? Any suggestions on > how to deal it? >
mostly comes from ukraine steephost.net ranges, block the lot of them and move on :) Colin
