[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"
Chris R. Thompson
chris.thompson at solutioninc.com
Mon Jun 30 08:14:16 ADT 2014
Hopefully the responses received help. I concur with the statement regarding dns flooding, more accurately dns amplification ( http://en.wikipedia.org/wiki/Denial-of-service_attack#Reflected_.2F_Spoofed_attack )
May have to be done at an edge device or through your packet filter, but relatively easily blocked/dropped.
On 06/30/2014 05:35 AM, Robert McKay wrote:
On Mon, 30 Jun 2014 02:48:53 -0300, mspencer at tallships.ca wrote:
> What I was seeing was like these:
> 02:58:54.788688 IP 126.96.36.199 > 188.8.131.52: ICMP
> udp port 53 unreachable, length 70
> 02:59:24.048691 IP 184.108.40.206.53 > 220.127.116.11.35510:
> 1907 ServFail 0/0/0 (42)
> 03:00:13.948690 IP 18.104.22.168.53 > 22.214.171.124.41636:
> 62834 NXDomain 0/0/0 (34)
> 205 unique source address in just under an hour, one packet per src
> I found mention of DNS flooding on the net. Presumably people could
> forging my IP address in packets meant to DOS DNS and then I would
> the replies. Doesn't look like that's happening here. The source
> are all sorts, many with names that look like subscriber lines.
> It appears that numerous people/hosts are sending unsolicited DNS
> replies. I wonder why, what's happening.
> Not seeing it tonight. My usual ISP is down and the backup ISP
> seems to have different filters in place. Only one DNS packet and
> an ANY request for census.gov from (no rDNS) someplace in USA:PA.
This is typical DNS flooding behaviour.. an any request for census.gov
returns a nice big reply that's good for flooding.. 126.96.36.199 and
188.8.131.52 are open recursors which means they will answer requests
sent from any IP address. Someone is spoofing requests from your IP to
the open servers and they reply with more traffic than the attacker had
to send in queries.
Most likely someone who was previously using your dynamic IP was
targeted (unless you've recently angered some internet vandals ;)
nSLUG mailing list
nSLUG at nslug.ns.ca
Christopher Thompson | Client Care | SolutionInc Limited
Office: +1.902.420-0077 | Fax: +1.902.420.0233
Email: chris.thompson at solutioninc.com
Website: www.solutioninc.com <http://www.solutioninc.com/>
SolutionInc Limited - Simplifying Internet Access
SolutionInc Limited - Simplifying Internet Access With operations in more than 45 countries worldwide, SolutionInc is an established global leader in
Internet, centralized hotspot connectivity, billing and management solutions. SolutionInc provides software and services to the hospitality and
telecommunications industries through its award-winning, patented technology software products: SolutionIP(tm) and SolutionIP(tm) Enterprise.
Through 700,000+ touch points, SolutionIP(tm) allows people to easily and securely connect to the Internet from locations such as hotel rooms, convention
centres, universities, restaurants and airports. Patent Information <http://www.solutioninc.com/patents/>
If you have received this e-mail in error, please notify me immediately at 902 420 0077 or reply by e-mail to the sender and destroy the original communication.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nSLUG