Agreed, we've been on both ends of this, our auth DNS servers were being hammered by any requests with spoofed source addresses until we did some creative blocking and we've seen 800Mbps+ of inbound spoofed DNS responses in the past, happily to a web service not to our resolvers so we could just block inbound UDP upstream.
Vince On 31/01/2013 11:44, Aftab Siddiqui wrote: > More like DNS Amplification attacks. Search through RIPE and NANOG > preso archive you will find some useful info about the same. > > Regards, > > Aftab A. Siddiqui > > > On Thu, Jan 31, 2013 at 4:32 PM, Cliff Stanford <[email protected] > <mailto:[email protected]>> wrote: > > Just before 09:00 this morning we saw a 100 Mbps port saturated. > Upon investigation the traffic appears to be DNS responses to > requests that were never made. > > Over the following 5 minutes, we saw over 600,000 UDP DNS > responses originating from 20 different DNS servers. The servers > all seem to be genuine, authoritative servers. > > They were all targeted at a single server our side and the > destination ports on the targeted system included nearly pretty > much the whole range. > > Is this a known DDoS attack, it's a new one on me? Any > suggestions on how to deal it? > > Regards, > Cliff. > > -- > Cliff Stanford > Might Limited +44 20 0222 1666 > <tel:%2B44%2020%200222%201666> (Office) > Wren Hall 152a High St +44 7973 616 666 > <tel:%2B44%207973%20616%20666> (Mobile) > Ongar, CM5 9JJ > > >
