> I see the same query against my private domain. It started roughly at > the 25. of May. > What is common is the UDPsize of 9000 and that both domains are signed. > Because of that the amplification factor is mutch higher. > > What I don't understand is that the source adresses are mostly out > of dynamic address pools from broadband ISP around the world. > So the victims are residentinal users?
No, most likely the residential users have CPEs with DNS proxies which are open to queries from the WAN side. Thus the attack is typically: spoofed source -> CPE -> name server -> CPE -> DoS of spooofed source Steinar Haug, Nethelp consulting, sth...@nethelp.no _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
