-----BEGIN PGP SIGNED MESSAGE----- On Tue, 09 Jan 2001, you wrote:
I'm surprised this hasn't come up in NANOG yet...
On a university list many sites are reporting large amounts of traffic appearing to come from 209.67.50.203 to their DNS servers. The administrator of the source IP (spoofed of course) is the victim of a brutal DoS attack. The traffic is UDP/DNS queries that are appear to be going directly to available DNS servers (as opposed to random hosts). Most sites are reporting on the order of 6 or more packets per second to their DNS servers. The victim has apparently seen upwards of 90 Mb/s of traffic coming back in to them. Does anyone here have anymore information on this attack?
Hello all, 209.67.50.203 is one of our (Register.com's) ip addresses. On January 4 at approximately 5:30 pm Register.com was attacked by the large-scale DNS attack described above. The nature of the attack itself is explained in detail in CERT Incident Notes 2000-04, available at: http://www.cert.org/incident_notes/IN-2000-04.html At its peak, the attack significantly increased the amount of incoming traffic from our providers. Within a short time we had blocked the attack at our border routers, and by evening of the next day our upstreams had blocked it also. While the attack is still continuing, the impact on our upstreams has decreased, mostly due to individual ISPs who started access-listing off the incoming spoofed packets. Although we are not currently being negatively affected by the attack, the annoyance level is significant enough that the FBI has been notified - meanwhile, we are focusing our energies on 1) notifying as many of the parties that are being used as "amplifiers" as possible and 2) asking them to contact their upstreams to try to trace back the traffic to a provider. We are trying to compile a listing of all the DNS servers being used as amplifiers - unfortunately, trying to create such a list is tough to do, given the distribution of the attack. The specifics of the attack are a source address of 209.67.50.203 (futuresite.register.com), a udp destination port of 53. The dns requests themselves are MX record requests for aol.com - it looks like a 25 byte dns request yields a 500 byte response, which is not a bad ROI. If anyone is concerned about whether or not they are being used as an amplifier, they can place access-lists on their routers to block packets with the above criteria without denying any normal services - there is no reason for that ip address to be making DNS requests. For anyone who is being used as an amplifier, we would ask that you contact your upstreams and ask them to initiate a traceback, or contact me directly: Matthew Zito Systems Engineer Register.com Ph: 212-798-9205 mzito@register.com If anyone has any useful information or questions, please feel free to contact me. We will also be sure to notify this list as pertinent information arises. Thanks to everyone on and off this list who has been helping us over the last few days - we all appreciate it. All correspondence will be kept in strict confidence. Thanks again, Matt Zito - -- Matthew J. Zito Systems Engineer Register.com, Inc., 11th Floor, 575 8th Avenue, New York, NY 10018 Ph: 212-798-9205 PGP Key Fingerprint: 4E AC E1 0B BE DD 7D BC D2 06 B2 B0 BF 55 68 99 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQEVAwUBOlvEtULSU8UoXSlNAQERvAgAg4B8lvQHtfw5Yth61D/BbwMBgL36AM7P QDfQZQ46fp/F8goXtbdBtpalvTUAV6tkKc4jC79AZsrrCx08xqBk/BHQHDT6/1Ru Um/eF0LYMYMj4fh9fDWYzBK4GPETWw/VgwOywe7mORM8HFOKMrV7Q+U3bdwDL73M SXGqY725QJfcuRkfd+8RJilOXzVoa3BxDcn+QxZwxL5qGdfZ1TJhmJHtLHI4mE9Y S3xzps96hH+J6jrGZIcjLYzhS12xYpcgZE7jBkhdMv2lTAQx2iQE2KPDFgYbOOgx aA90QsFM/hB1pC1zvCZD7sbQfoCj4+L4r7sdqhiC0DhV4sFtdRxLbA== =Rka3 -----END PGP SIGNATURE----- -- Matthew J. Zito Systems Engineer Register.com, Inc., 11th Floor, 575 8th Avenue, New York, NY 10018 Ph: 212-798-9205 PGP Key Fingerprint: 4E AC E1 0B BE DD 7D BC D2 06 B2 B0 BF 55 68 99