[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2

Frank Knobbe frank at knobbe.us
Thu Jan 29 02:26:46 GMT 2009


On Wed, 2009-01-28 at 15:58 -0500, Dr. Daniel Carras wrote:
> I'm analyzing the logs now. However, there's not much. All it does is 
> repeatedly ask for NS-record for <root>
> 
> ----log expert from Jan.17.09---
> 13:06:11   Request from 216.240.131.173 for NS-record for <root>
> 13:06:11   Sending reply to 216.240.131.173 about NS-record for <root>:
> 13:06:11   -> Answer: NS-record for <root> = b.root-servers.net.
> 13:06:11   -> Answer: NS-record for <root> = l.root-servers.net.
> 13:06:11   -> Answer: NS-record for <root> = d.root-servers.net.
[...]


And it looks like your name server is responding... oops! :)

Yeah, these DDoS attacks have been around for a while. Spoofed UDP
request for "." which misconfigured name servers respond to with the
list of root servers. The ISC Diary (last week?) had recommendations on
how to properly configure your name server so that you don't participate
in this this DDoS attack as an amplifier. I highly recommend you check
your name server and configure it not to respond to "." requests. (It's
gonna save you bandwidth too ;)

Cheers,
Frank




More information about the Dshield mailing list