Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-)
-- Leigh Porter > -----Original Message----- > From: Dennis [mailto:den...@justipit.com] > Sent: 18 January 2012 12:55 > To: Leigh Porter; toor > Cc: nanog@nanog.org > Subject: Re: DNS Attacks > > I agree with Roland on the firewall placement. I add that the attack > would have likely succeeded to exhaust the servers. There is alot of > recent ddos activity on DNS with what looks like legitimate queries. > You should also look at some DOS/ application level protections; > Radware and Arbor top the list. > > > Leigh Porter <leigh.por...@ukbroadband.com> wrote: > > > > > > >On 18 Jan 2012, at 05:06, "toor" <li...@1337.mx> wrote: > > > >> Hi list, > >> > >> I am wondering if anyone else has seen a large amount of DNS queries > >> coming from various IP ranges in China. I have been trying to find a > >> pattern in the attacks but so far I have come up blank. I am > completly > >> guessing these are possibly DNS amplification attacks but I am not > >> sure. Usually what I see is this: > >> > > > >At various seemingly random times over the past week I have had a DNS > which is behind a firewall come under attack. The firewall is > significant because the attacks killed the firewall as it is rather > under specified (not my idea..). > > > >It did originate from Chinese address space and consisted of DNS > queries for lots of hosts. There was also a port-scan in the traffic > and a SYN attack on a few hosts on the same small subnet as the DNS, a > web server and an open SSH port. > > > >-- > >Leigh Porter > > > > > >______________________________________________________________________ > >This email has been scanned by the Symantec Email Security.cloud > service. > >For more information please visit http://www.symanteccloud.com > >______________________________________________________________________ > > > > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud > service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
