[Dshield] ISPrime DNS bounce DDOS

Stephane Grobety security at admin.fulgan.com
Thu Jan 22 16:35:38 GMT 2009

Hello List,

I just spent a couple of hours this afternoon tuning my DNS servers
and firewall to cope with the ISprime DNS bounce DDOS (as discussed on
ICS) and I have a couple of questions left.

First, had anyone noticed a sudden jump in the intensity of the attack
? On Monday, and up to yesterday, I was receiving about 10 packet per
minute per DNS server. Now, I'm well into the thousands per minute, on
all my DNS. Not that I can't cope with that but I'm wondering a bit
if I'm the only one who see the increase. Note that at no point did my
any of my servers actually respond to the root hint queries (not even
with an error) so it can't be because of the result of a probe.

Second, does anyone know a web site that gives some status about the
attack ? I've written a lot of rules to minimize the impact of this
traffic on my networks (and poor log files) but many of these rules
are IP-bound to the ISprime servers and I'd like to know when I can
starting cleaning up my filters.


More information about the Dshield mailing list