On 12.09.2012 11:06, Simon Munton wrote:
We've been seeing 1000's of ANY queries/sec for many months, but use RRL to filter them, so haven't been too bothered - mostly hitting our Tokyo node. http://stats.cdns.net/public/0.0.0.1/D4AE52-BBA337.html But I can confirm we ARE getting the same pattern in the port & ID I'm thinking a rate limiter in iptables using -u32 should be possible. One thing we did notice was they use an impressively wide range of different domain names in their queries, leading us to wonder if it is just a simple reflection attack.
I also wondered if maybe it is just a legitimate user trying to "mirror" the DNS. But todays most seen source on our DNS servers is 113.21.221.21 which is assinged to nexusguard.com which "protects E-Business from DDoS attacks". This makes me believe that it is an amplification attack.
regards Klaus _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
