On Tue, Jan 09, 2001 at 07:24:39PM -0500, Steven M. Bellovin wrote:
In message <3A5BA3C3.CEAAD37D@depaul.edu>, John Kristoff writes:
I'm surprised this hasn't come up in NANOG yet...
On a university list many sites are reporting large amounts of traffic appearing to come from 209.67.50.203 to their DNS servers. The administrator of the source IP (spoofed of course) is the victim of a brutal DoS attack. The traffic is UDP/DNS queries that are appear to be going directly to available DNS servers (as opposed to random hosts). Most sites are reporting on the order of 6 or more packets per second to their DNS servers. The victim has apparently seen upwards of 90 Mb/s of traffic coming back in to them. Does anyone here have anymore information on this attack?
Yes, it's a DDoS attack, of the type that Vern Paxson has dubbed "refletor attacks". You send a forged DNS query to a DNS server; it sends its reply to the victim. Then you have lots of hosts around the net doing this, but banging on different DNS servers.
A good way to reduce this is to turn off recursion for people not on your network for your dns server. This is fairly easy to do with bind8/bind9. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home