I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type.
I don't know if it's related, but at about the same time USNO reported an attack on their NTP servers. I could easily imagine a piece of malware with a bug that does massive retransmits on both DNS and NTP. ----------- From: Rich <schmidt.rich@gmail.com> Newsgroups: comp.protocols.time.ntp Subject: NTP Denial of Service attack 29 November 2011 Date: Tue, 29 Nov 2011 12:44:44 -0800 (PST) Organization: http://groups.google.com NNTP-Posting-Host: 199.211.133.254 USNO is seeing an apparent coordinated denial of service attack on NTP originating with the following IPs: 220.117.53.67; 218.92.115.152; 114.40.28.224; 218.201.21.194. ---------- At 11 pm EST 29 Nov 2011 the Navy Cyber Defense Operations Command ordered USNO to take NTP servers in Washington, DC offline, and USNO complied. USNO serves more than 3 million clients. This is the first time in 17 years that we have ceased NTP operations. ---- NTP Service from USNO Washington was restored at 30.56 November 2011 UTC. No further information is available for dissemination at this time. -- These are my opinions, not necessarily my employer's. I hate spam.