Discuss mailing list

[Dean Gardiner <fuzeman91 AT gmail.com>]

Had a DoS to my inactive DNS server (damm UDP) ~10 hours ago but was for ripe.net. If these attacks continue happening monthly I might need to consider blocking all incoming traffic on port 53 at my ISP as these are becoming very disruptive to other services.

From memory the attack I got the source IP wasn't one of the IP Addresses you listed though. I posted a list of ~10 addresses that were involved in the last DDoS, wonder if this attack matches them? I assume this would be some kind of botnet so they could easily have changed addresses.

- Dean

On Oct 18, 2012 9:51 AM, "Martin C" <martin AT mchomenet.com> wrote:

I know it was mentioned before on this list, but I can't remember if any
IP addresses were mentioned. Anyway, I was watching the logs the other
day and noticed one IP doing a lot of lookups for the same domain over
and over again (isc.org).

I thought nothing of it until I received a notice from the VPS supplier
that I had used over 80% of my traffic quota. I have never received that
message before so I investigated into what could be using so much
traffic. Sure enough, there was that IP address again, doing several
10's of lookups a second at least.

108.162.203.21 was doing the most, followed by 173.244.212.106, and then
93.114.45.21.

I hope I haven't accidentally blocked the IP of an OpenNIC T1 testing
server, if I have, let me know. Otherwise, this is a heads up about a
possible DoS attempt which as it turned out, was highly annoying.

--
Martin C.