Peace, On Mon, Dec 9, 2019 at 11:35 PM Florian Brandstetter via NANOG <nanog@nanog.org> wrote:
if that was to be amplification, the source addresses would not be within Google or CloudFlare ranges (especially not CloudFlare, as they are not running a vulnerable recursor
Well, vulnerable — arguably of course, amplifying — yes, a few, around twenty. Not sure if they have any kind of rate limiting there (also not sure if it's legal for me to check it), expecially given that the queries could come from spoofed sources. Anyway, in theory, their sources *could* be present in a DDoS (though not likely). 12:11:23.726699 IP (tos 0x0, ttl 64, id 9173, offset 0, flags [none], proto UDP (17), length 60) $IP.60801 > 172.65.253.110.53: 45631+ [1au] ANY? com. (32) 12:11:23.733976 IP (tos 0x0, ttl 60, id 30234, offset 0, flags [+], proto UDP (17), length 1500) 172.65.253.110.53 > $IP.60801: 45631$ 22/0/1 com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1576020207 1800 900 604800 86400, com. RRSIG, com. NS a.gtld-servers.net., com. NS b.gtld-servers.net., com. NS c.gtld-servers.net., com. NS e.gtld-servers.net., com. NS i.gtld-servers.net., com. NS j.gtld-servers.net., com. NS g.gtld-servers.net., com. NS f.gtld-servers.net., com. NS l.gtld-servers.net., com. NS d.gtld-servers.net., com. NS k.gtld-servers.net., com. NS h.gtld-servers.net., com. NS m.gtld-servers.net., com. RRSIG, com. DNSKEY, com. DNSKEY, com. DNSKEY, com. RRSIG[|domain] -- Töma