[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"

Chris R. Thompson chris.thompson at solutioninc.com
Mon Jun 30 08:14:16 ADT 2014


Hello Robert,

Hopefully the responses received help. I concur with the statement regarding dns flooding, more accurately dns amplification ( http://en.wikipedia.org/wiki/Denial-of-service_attack#Reflected_.2F_Spoofed_attack )

May have to be done at an edge device or through your packet filter, but relatively easily blocked/dropped.

Sincerely,

On 06/30/2014 05:35 AM, Robert McKay wrote:


	On Mon, 30 Jun 2014 02:48:53 -0300, mspencer at tallships.ca wrote:
	
	> What I was seeing was like these:
	>
	>     02:58:54.788688 IP 91.133.244.34 > 24.215.115.23: ICMP
	> 91.133.244.34
	>                     udp port 53 unreachable, length 70
	>
	>     02:59:24.048691 IP 192.157.242.141.53 > 24.215.115.23.35510:
	>                     1907 ServFail 0/0/0 (42)
	>
	>     03:00:13.948690 IP 193.151.80.59.53 > 24.215.115.23.41636:
	>                     62834 NXDomain 0/0/0 (34)
	>
	> 205 unique source address in just under an hour, one packet per src
	> address.
	>
	>
	> I found mention of DNS flooding on the net. Presumably people could
	> be
	> forging my IP address in packets meant to DOS DNS and then I would
	> get
	> the replies. Doesn't look like that's happening here. The source
	> hosts
	> are all sorts, many with names that look like subscriber lines.
	>
	> It appears that numerous people/hosts are sending unsolicited DNS
	> replies.  I wonder why, what's happening.
	>
	>
	> Not seeing it tonight.  My usual ISP is down and the backup ISP
	> seems to have different filters in place. Only one DNS packet and
	> it's
	> an ANY request for census.gov from (no rDNS) someplace in USA:PA.
	
	This is typical DNS flooding behaviour.. an any request for census.gov
	returns a nice big reply that's good for flooding.. 192.157.242.141 and
	193.151.80.59 are open recursors which means they will answer requests
	sent from any IP address. Someone is spoofing requests from your IP to
	the open servers and they reply with more traffic than the attacker had
	to send in queries.
	
	Most likely someone who was previously using your dynamic IP was
	targeted (unless you've recently angered some internet vandals ;)
	
	Rob
	_______________________________________________
	nSLUG mailing list
	nSLUG at nslug.ns.ca
	http://nslug.ns.ca/mailman/listinfo/nslug
	


-- 


Christopher Thompson | Client Care | SolutionInc Limited
Office: +1.902.420-0077 | Fax: +1.902.420.0233

Email: chris.thompson at solutioninc.com
Website: www.solutioninc.com <http://www.solutioninc.com/> 

SolutionInc Limited - Simplifying Internet Access

SolutionInc Limited - Simplifying Internet Access With operations in more than 45 countries worldwide, SolutionInc is an established global leader in 
Internet, centralized hotspot connectivity, billing and management solutions. SolutionInc provides software and services to the hospitality and 
telecommunications industries through its award-winning, patented technology software products: SolutionIP(tm) and SolutionIP(tm) Enterprise. 
Through 700,000+ touch points, SolutionIP(tm) allows people to easily and securely connect to the Internet from locations such as hotel rooms, convention
 centres, universities, restaurants and airports. Patent Information <http://www.solutioninc.com/patents/>  

If you have received this e-mail in error, please notify me immediately at 902 420 0077 or reply by e-mail to the sender and destroy the original communication.

 Thank you.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20140630/6968b90c/attachment-0001.html>


More information about the nSLUG mailing list