Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DoS amp attack / Top20

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DoS amp attack / Top20


Chronological Thread 
  • From: <kennytaylor AT runbox.com>
  • To: "discuss" <discuss AT lists.opennicproject.org>
  • Subject: Re: [opennic-discuss] DoS amp attack / Top20
  • Date: Mon, 29 Apr 2013 09:13:44 -0700 (PDT)

I see a ton of ANY queries against isc.org. The query is around 100 bytes
and the response is around 4500 bytes. I see 3-4 spoofed source addresses at
a time. Odd thing is, when I block those source addresses, I start seeing
3-4 new source addresses. It looks as if the attacker detected the blocking,
which should not be possible with a spoofed IP.

The source addresses are always residential ISPs. It makes me wonder if this
is the action of a botnet, the source addresses are not spoofed, and isc.org
is the real target (via the recursive query).



----- Start Original Message -----
Sent: Mon, 29 Apr 2013 07:47:50 -0600
From: Jeff Taylor <shdwdrgn AT sourpuss.net>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] DoS amp attack / Top20

> The problem with trying to make a list is that a DNS amplification
> attack uses UDP, and requires no return information to make the attack
> work... So you really have no idea if these IP addresses were spoofed,
> and/or if they were in fact the intended victim of the attack.
>
>
> On 04/29/2013 04:33 AM, Uwe (ML) Kiewel wrote:
> > According to my IPS here are the top 20 - counting from 04/22/2013 until
> > 04/28/2013
> >
> > Source IP Country Packets
> > 93.170.92.40 NL 309949
> > 203.124.103.1 SG 75174
> > 182.50.156.206 SG 74860
> > 77.64.198.79 DE 50088
> > 184.72.223.220 US 48852
> > 72.20.10.245 US 46466
> > 186.2.161.24 BZ 41649
> > 205.251.193.221 US 31930
> > 186.2.165.1 BZ 28029
> > 174.37.121.123 US 15333
> > 173.193.159.94 US 14763
> > 174.37.121.182 US 14630
> > 173.193.137.84 US 14476
> > 208.43.227.116 US 11874
> > 5.153.6.205 NL 11489
> > 184.172.60.180 US 11443
> > 199.245.52.48 US 10774
> > 199.83.134.214 US 9819
> > 209.236.127.128 US 9714
> > 64.215.195.237 US 9229
> >
> >
> > --------
> > You are a member of the OpenNIC Discuss list.
> > You may unsubscribe by emailing
> > discuss-unsubscribe AT lists.opennicproject.org
>
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

----- End Original Message -----


Archive powered by MHonArc 2.6.19.

Top of Page