On Sep 27, 2012, at 11:34 , Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > On Thu, Sep 27, 2012 at 08:55:58AM -0600, Miguel Mata <mm...@intercom.com.sv> > wrote > a message of 30 lines which said: > >> Guys, > > No gals on NANOG?
Many. Although in fairness, some people use "guys" in a gender-neutral manner. >> The attacks comes from various sites from the other side of the pond >> (46.165.197.xx, 213.152.180.yy). > > How can you be sure? With UDP, you have zero guarantee on the source > IP address. (Checking the TTL can give you a hint if the packets > really come from the same point.) > > Source and destination port? If source port is 53, it may means you're > the target of a DNS reflection+amplification attack, a la CloudFlare > <http://blog.cloudflare.com/65gbps-ddos-no-problem>. I do not know of any name servers that reply to queries with UDP packets filled with only the letter X. The DNS Headers alone require more than the letter "X". -- TTFN, patrick
