> Our current thinking (based on evidence from some of our customers, and > also from Nominum's analysis presented at the Warsaw DNS-OARC workship > earlier this year) that the majority of these recent query spates are > intended as an attack on the domain (e.g. feile8888.com) or the > nameserver hosting it. Once overwhelmed with query traffic, the DNS > servers cease responding, or only respond sporadically.
Being responsible for the recursive name servers for a large Norwegian ISP, I see these attacks on a more or less daily basis, mostly due to CPEs with DNS proxies open towards the Internet. I am reasonably sure that the attack is on the authoritative name servers, and not on the domains as such. This conclusion is based on the following (which is obviously not *proof*): - Some of the domains have only been registered a few days before an attack starts. - There are obvious similarities in the non-random part of many of these domain names which seems to indicate that they are *generated*, e.g. www.6644qq.com www.6644se.com www.6655pp.com www.6655qq.com www.667788.com www.6688hh.com www.6688pp.com or dafa888567.com dafa888678.com dafa888789.com dafa888cg.com dafa888vd.com Steinar Haug, Nethelp consulting, sth...@nethelp.no _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
