In message <caljcmpma-gxuerpufeawtgzn4qtvkxjtaefl3d9gc0otvs9...@mail.gmail.com>, toor writes: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > > - Attacks most commonly between the hours of 4AM-4PM UTC > - DNS queries appear to be for real domains that the DNS servers in > question are authoritive for (I can't really see any pattern there, > there are about 150,000 zones on the servers in question) > - From a range of IP's there will be an attack for approximately 5-10 > minutes before stopping and then a break of 30 minutes or so before > another attack from a different IP range > - Every IP range has been from China > > I have limited the number of queries that can be done to mitigate this > but its messing up my pretty netflow graphs due to the spikes in > flows/packets being sent. > > Does anyone have any ideas what the reasoning behind this could be? I > would also be interested to hear from anyone else experiencing this > too. > > I can provide IP ranges from where I am seeing the issue but it does > vary a lot between the attacks with the only pattern every time being > the source address is located in China. I read a thread earlier, > http://seclists.org/nanog/2011/Nov/920, which sounds like the exact > thing I am seeing. > > Thanks
Most of the time you will be being used as a amplifier and the source traffic is spoofed. The short periods are so that it is harder to trace the compromised machines. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
