If you didn't already check it out, you may find this presentation at our last workshop adds some background:
https://indico.dns-oarc.net//contributionDisplay.py?contribId=37&sessionId=3&confId=20 Keith On 11/02/2014 08:52 AM, Lyle Giese wrote: > Just to flush out the details here, in case anyone is wondering. We > have a small number of domains that are DNSSEC signed, but those under > attack are not signed. > > In the past two days, I am seeing RRL kicking in heavily for queries for > host names or subdomains in the form: > > <variable>.example.com > > From IPv4 and IPv6 Google ip addresses. At the same time, but I see a > few of the 'no more TCP clients: quota reached' messages. Again, after > the RRL limit kicking in, rolling over to TCP is expected. > > I am seeing the 'attack' first against one domain for a period of only a > few(less than 5) minutes. And then the next day, another flurry of > activity against another domain lasting about 4 minutes. > > I am not sure what the goal is of the attackers yet. But in bouncing > the queries through Google does a pretty good job of hiding their > identity from me. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
