Re: Recent DNS attacks from China?
![](https://secure.gravatar.com/avatar/23a029a82e7a07c892db48312469284d.jpg?s=120&d=mm&r=g)
I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type.
I don't know if it's related, but at about the same time USNO reported an attack on their NTP servers. I could easily imagine a piece of malware with a bug that does massive retransmits on both DNS and NTP. ----------- From: Rich <schmidt.rich@gmail.com> Newsgroups: comp.protocols.time.ntp Subject: NTP Denial of Service attack 29 November 2011 Date: Tue, 29 Nov 2011 12:44:44 -0800 (PST) Organization: http://groups.google.com NNTP-Posting-Host: 199.211.133.254 USNO is seeing an apparent coordinated denial of service attack on NTP originating with the following IPs: 220.117.53.67; 218.92.115.152; 114.40.28.224; 218.201.21.194. ---------- At 11 pm EST 29 Nov 2011 the Navy Cyber Defense Operations Command ordered USNO to take NTP servers in Washington, DC offline, and USNO complied. USNO serves more than 3 million clients. This is the first time in 17 years that we have ceased NTP operations. ---- NTP Service from USNO Washington was restored at 30.56 November 2011 UTC. No further information is available for dissemination at this time. -- These are my opinions, not necessarily my employer's. I hate spam.
![](https://secure.gravatar.com/avatar/50d19e846fb128a4f08aa600829ed8d4.jpg?s=120&d=mm&r=g)
I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.
This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type.
I don't know if it's related, but at about the same time USNO reported an attack on their NTP servers.
I could easily imagine a piece of malware with a bug that does massive retransmits on both DNS and NTP.
I'm seeing DNS-based attacks on a regular basis, typically several per day. Often involving ANY isc.org or ANY ripe.net to get a good amplification. E.g. *right now* an amplification attack against 78.159.111.190. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
participants (2)
-
Hal Murray
-
sthaugļ¼ nethelp.no