On 10 Jun 2012, at 17:20, Jan Inge Sande wrote:
I'm seeing the same attack as Jim Reid described on one of my nameservers too (just found the "source"/target address on Gmane and signed up for the mailinglist), at ~3Kqps/1.3Mbits at the moment (in Germany, AS24940). No UDP checksum, the source address is set to 37.221.160.125 and ANY queries for a zone that isn't and haven't been in use (no records apart from DNSSEC, SOA and NS). I haven't seen anything on the other authoritative servers.
Interesting. FWIW, RIPE NCC's whois says this address block is linked to a different ASN from the one you found:
% Information related to '37.221.160.96 - 37.221.160.127' inetnum: 37.221.160.96 - 37.221.160.127 netname: IxamHosting descr: Shared/Reseller and VPS Hosting country: RO admin-c: MK12203-RIPE tech-c: MK12203-RIPE status: ASSIGNED PA mnt-by: VOXILITY-MNT mnt-routes: VOXILITY-MNT mnt-lower: VOXILITY-MNT remarks: INFRA-AW source: RIPE # Filtered person: Maximilian Kutzner address: Hauptstrasse 31 address: 92361 Röckersbühl phone: +49 1627297616 nic-hdl: MK12203-RIPE mnt-by: VOXILITY-MNT abuse-mailbox: ab...@ixam-hosting.com source: RIPE # Filtered % Information related to '37.221.160.0/21AS39743' route: 37.221.160.0/21 descr: voxility.net origin: AS39743 mnt-by: VOXILITY-MNT source: RIPE # Filtered _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
