Other than being non-compliant, is an "ANY" query used by any major software? Could someone rate limit ANY responses to mitigate this particular issue?
On Fri, Dec 2, 2011 at 8:17 AM, Leland Vandervort < lel...@taranta.discpro.org> wrote: > Yup.. they're all "ANY" requests. The varying TTLs indicates that they're > most likely spoofed. We are also now seeing similar traffic from RFC1918 > "source" addresses trying to ingress our network (but being stopped by our > border filters). > > Looks like the kiddies are playing.... > > > On 2 Dec 2011, at 16:02, Ryan Rawdon wrote: > > > > > On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote: > > > >> > >> -----Original Message----- > >> From: rob.vercoute...@kpn.com [mailto:rob.vercoute...@kpn.com] > >> Sent: Wednesday, November 30, 2011 3:05 PM > >> To: matlo...@exempla.org; richard.bar...@gmail.com; > andrew.wall...@rocketmail.com > >> Cc: nanog@nanog.org; lel...@taranta.discpro.org > >> Subject: RE: Recent DNS attacks from China? > >> > >> Yes it is, but the problem is that our servers are "attacking" the so > called source address. All the answers are going back to the "source". It > is huge amplification attacks. (some sort of smurf if you want) The ip > addresses are spoofed (We did a capture and saw all different ttl's so > coming from behind different hops) And yes we saw the ANY queries for all > the domains. > >> > >> I still wonder how it is still possible that ip addresses can be > spoofed nowadays > > > > We're a smaller shop and started receiving these queries last night, > roughly 1000 queries per minute or less. We're seeing that the source > (victim) addresses are changing every few minutes, the TTLs vary within a > given source address, and while most of the source/victim addresses have > been Chinese we are seeing a few which are not, such as 74.125.90.83 > (Google). The queries are coming in to ns1.traffiq.com (perhaps ns2 > also, I haven't checked) and are for traffiq.com/ANY which unfortunately > gives a 492 byte response. > > > > > >> > >> ================= > >> > >> Rob, > >> > >> Transit providers can bill for the denial of service traffic and they > claim it's too expensive to run URPF because of the extra lookup. > >> > >> -Drew > >> > > >
