[Dshield] ISC#  &  Massive DNS attack/Flood - next evolution - phase 2
frank at knobbe.us
Thu Jan 29 02:26:46 GMT 2009
On Wed, 2009-01-28 at 15:58 -0500, Dr. Daniel Carras wrote:
> I'm analyzing the logs now. However, there's not much. All it does is
> repeatedly ask for NS-record for <root>
> ----log expert from Jan.17.09---
> 13:06:11 Request from 18.104.22.168 for NS-record for <root>
> 13:06:11 Sending reply to 22.214.171.124 about NS-record for <root>:
> 13:06:11 -> Answer: NS-record for <root> = b.root-servers.net.
> 13:06:11 -> Answer: NS-record for <root> = l.root-servers.net.
> 13:06:11 -> Answer: NS-record for <root> = d.root-servers.net.
And it looks like your name server is responding... oops! :)
Yeah, these DDoS attacks have been around for a while. Spoofed UDP
request for "." which misconfigured name servers respond to with the
list of root servers. The ISC Diary (last week?) had recommendations on
how to properly configure your name server so that you don't participate
in this this DDoS attack as an amplifier. I highly recommend you check
your name server and configure it not to respond to "." requests. (It's
gonna save you bandwidth too ;)
More information about the Dshield