We already have this type of attack in Bucharest/Romania since last
Friday. The targets where IP's of some local webhosters, but at one
moment we event saw IP's from Go Daddy.
Tcpdump will show something like:
11:10:41.447079 IP target > open_resolver_ip.53: 80+ [1au] ANY? isc.org.
(37)
11:10:41.447082 IP target > open_resolver_ip.53: 59147+ [1au] ANY?
isc.org. (37)
11:10:41.447084 IP target > open_resolver_ip.53: 13885+ [1au] ANY?
isc.org. (37)
After one week the attack has been mostly mitigated, and the remaining
open resolvers are probably windows servers. Apparently in bill'g world
is impossible to restrict the recursion.
