[BlueOnyx:12787] DNS attack profile
George F. Nemeyer
tigerwolf at tigerden.com
Tue Apr 9 01:57:33 -05 2013
Some observations:
Up until the recent flap over DNS attacks, I had observed that while the
numbers of different bogus queries attempting to do amplification attacks
were relatively small, and generally limited to a handful of 'target' IPs,
and the same query was made continuously with the same source IPs for
hours or days, clearly a focused attack at those targets.
That's all changed around the beginning of the year. Now, it's a
monsterously huge number of source IPs from all over the map. By
contrast, most of these queries are not being attempted more than a
handfull of times, then the source IP changes every few minutes, and
apparently 'cycles' though a slowly repeating lists.
Also, the queries, which often had varying domains such as isc.org, most
named ones are now for "deniedstresser.com". The vast majority are now
just 'ANY'.
Just a quick grep of source IPs doing 'ANY' attempts over the last 24
hours shows 1157 *different* IPs hitting just one DNS server here. Of
course The total number of query *attempts* is way higher than that.
The IPs are often not just commercial sites, but even DSL or cable
addresses of apparent home users. So it appears now, the goal may not be
just a single target machine, but rather attempt to just flood and degrade
entire networks.
I'm curious about what others are seeing.
=^_^= Tigerwolf
More information about the Blueonyx
mailing list