We ran into a 25Gbps SNMP 'reply/amplification attack' from a cable modem network about a month ago.
Hopefully the particular network has fixed that issue now, but it was a banner day to be sure. Thanks, -Drew -----Original Message----- From: virendra rode [mailto:virendra.r...@gmail.com] Sent: Wednesday, January 18, 2012 8:58 AM To: nanog@nanog.org Subject: Re: DNS Attacks -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi - We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins. Tracking the source of an attack is simplified when the source is more likely to be "valid". The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen. As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service". regards, /virendra On 01/17/2012 09:04 PM, toor wrote: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > > - Attacks most commonly between the hours of 4AM-4PM UTC > - DNS queries appear to be for real domains that the DNS servers in > question are authoritive for (I can't really see any pattern there, > there are about 150,000 zones on the servers in question) > - From a range of IP's there will be an attack for approximately 5-10 > minutes before stopping and then a break of 30 minutes or so before > another attack from a different IP range > - Every IP range has been from China > > I have limited the number of queries that can be done to mitigate this > but its messing up my pretty netflow graphs due to the spikes in > flows/packets being sent. > > Does anyone have any ideas what the reasoning behind this could be? I > would also be interested to hear from anyone else experiencing this > too. > > I can provide IP ranges from where I am seeing the issue but it does > vary a lot between the attacks with the only pattern every time being > the source address is located in China. I read a thread earlier, > http://seclists.org/nanog/2011/Nov/920, which sounds like the exact > thing I am seeing. > > Thanks > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L =HsEg -----END PGP SIGNATURE-----