-----BEGIN PGP SIGNED MESSAGE-----
I'm surprised this hasn't come up in NANOG yet...
On a university list many sites are reporting large amounts of traffic
appearing to come from 209.67.50.203 to their DNS servers. The
administrator of the source IP (spoofed of course) is the victim of a
brutal DoS attack. The traffic is UDP/DNS queries that are appear to be
going directly to available DNS servers (as opposed to random hosts).
Most sites are reporting on the order of 6 or more packets per second to
their DNS servers. The victim has apparently seen upwards of 90 Mb/s of
traffic coming back in to them. Does anyone here have anymore
information on this attack?
Hello all,
209.67.50.203 is one of our (Register.com's) ip addresses. On January 4 at
approximately 5:30 pm Register.com was attacked by the large-scale DNS attack
described above. The nature of the attack itself is explained in detail in
CERT Incident Notes 2000-04, available at:
http://www.cert.org/incident_notes/IN-2000-04.html
At its peak, the attack significantly increased the amount of incoming
traffic from our providers. Within a short time we had blocked the attack at
our border routers, and by evening of the next day our upstreams had blocked
it also. While the attack is still continuing, the impact on our upstreams
has decreased, mostly due to individual ISPs who started access-listing off
the incoming spoofed packets. Although we are not currently being
negatively affected by the attack, the annoyance level is significant enough
that the FBI has been notified - meanwhile, we are focusing our energies on
1) notifying as many of the parties that are being used as "amplifiers" as
possible and 2) asking them to contact their upstreams to try
to trace back the traffic to a provider.
We are trying to compile a listing of all the DNS servers being used as
amplifiers - unfortunately, trying to create such a list is tough to do,
given the distribution of the attack.
The specifics of the attack are a source address of 209.67.50.203
(futuresite.register.com), a udp destination port of 53. The
dns requests themselves are MX record requests for aol.com - it looks like a
25 byte dns request yields a 500 byte response, which is not a bad ROI.
If anyone is concerned about whether or not they are being used as an
amplifier, they can place access-lists on their routers to block packets with
the above criteria without denying any normal services - there is no reason
for that ip address to be making DNS requests.
For anyone who is being used as an amplifier, we would ask that you contact
your upstreams and ask them to initiate a traceback, or contact me directly:
Matthew Zito
Systems Engineer
Register.com
Ph: 212-798-9205
mzito@register.com
If anyone has any useful information or questions, please feel free to
contact me. We will also be sure to notify this list as pertinent
information arises. Thanks to everyone on and off this list who has been
helping us over the last few days - we all appreciate it. All correspondence
will be kept in strict confidence.
Thanks again,
Matt Zito
- --
Matthew J. Zito
Systems Engineer
Register.com, Inc., 11th Floor, 575 8th Avenue, New York, NY 10018
Ph: 212-798-9205
PGP Key Fingerprint: 4E AC E1 0B BE DD 7D BC D2 06 B2 B0 BF 55 68 99