Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-) -- Leigh Porter
-----Original Message----- From: Dennis [mailto:dennis@justipit.com] Sent: 18 January 2012 12:55 To: Leigh Porter; toor Cc: nanog@nanog.org Subject: Re: DNS Attacks
I agree with Roland on the firewall placement. I add that the attack would have likely succeeded to exhaust the servers. There is alot of recent ddos activity on DNS with what looks like legitimate queries. You should also look at some DOS/ application level protections; Radware and Arbor top the list.
Leigh Porter <leigh.porter@ukbroadband.com> wrote:
On 18 Jan 2012, at 05:06, "toor" <lists@1337.mx> wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am
completly
guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).
It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.
-- Leigh Porter
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________