On Sep 27, 2012, at 11:34 , Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Thu, Sep 27, 2012 at 08:55:58AM -0600, Miguel Mata <mmata@intercom.com.sv> wrote a message of 30 lines which said:
Guys,
No gals on NANOG?
Many. Although in fairness, some people use "guys" in a gender-neutral manner.
The attacks comes from various sites from the other side of the pond (46.165.197.xx, 213.152.180.yy).
How can you be sure? With UDP, you have zero guarantee on the source IP address. (Checking the TTL can give you a hint if the packets really come from the same point.)
Source and destination port? If source port is 53, it may means you're the target of a DNS reflection+amplification attack, a la CloudFlare <http://blog.cloudflare.com/65gbps-ddos-no-problem>.
I do not know of any name servers that reply to queries with UDP packets filled with only the letter X. The DNS Headers alone require more than the letter "X". -- TTFN, patrick