Possible DDoS?
Manson, John
John.Manson at mail.house.gov
Wed Oct 17 18:34:29 UTC 2012
Thanks
So that is why there are usually no NS records?
-----Original Message-----
From: Chuck Swiger [mailto:cswiger at mac.com]
Sent: Wednesday, October 17, 2012 2:31 PM
To: Manson, John
Cc: bind-users at lists.isc.org
Subject: Re: Possible DDoS?
Hi--
On Oct 17, 2012, at 11:17 AM, Manson, John wrote:
> From time to time I notice a large number of queries like these to one of my external dns servers:
>
> 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
> [ ... ]
> 14:14:40.98668 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
> 14:14:40.99417 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
>
> Does this rise to the level of a DDoS attack?
> No NS record for this IP.
> I blackhole IPs that behave like this.
That sure looks to be a DNS-based DDoS. Note that IP 121.10.105.66 is actually
the victim being attacked-- the attackers forge that address and make queries which
send lots of traffic to it.
Blackholing them on your side will mitigate against the DDoS, but also break any
legitimate traffic which they might send. (They can always use public DNS servers
like 4.2.2.1 or 8.8.8.8 if they need to, though, so don't worry about legit
requests from them too much.)
Regards,
--
-Chuck
More information about the bind-users
mailing list