Yes it is, but the problem is that our servers are "attacking" the so called source address. All the answers are going back to the "source". It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains. I still wonder how it is still possible that ip addresses can be spoofed nowadays Rob ============================ -----Oorspronkelijk bericht----- Van: Matlock, Kenneth L [mailto:MatlockK@exempla.org] Verzonden: woensdag 30 november 2011 19:57 Aan: Richard Barnes; andrew.wallace CC: nanog@nanog.org; Leland Vandervort Onderwerp: RE: Recent DNS attacks from China? Except in this case it's a DNS attack, which implies UDP based and easily spoofed. The source IP may or may not actually be accurate. Ken ________________________________ From: Richard Barnes [mailto:richard.barnes@gmail.com] Sent: Wed 11/30/2011 11:51 AM To: andrew.wallace Cc: nanog@nanog.org; Leland Vandervort Subject: Re: Recent DNS attacks from China? An attack originating from somewhere indicates the presence of either an attacker or a compromised host. A particular density of either in a particular geographical area would seem like an interesting data point. --Richard On Wed, Nov 30, 2011 at 1:24 PM, andrew.wallace <andrew.wallace@rocketmail.com> wrote:
Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone.
Is country even relevant in the cyberscape?
Andrew
*** Exempla Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** Exempla Confidentiality Notice ***