Hi Cliff, On Thu, 31 Jan 2013, Cliff Stanford wrote:
> Just before 09:00 this morning we saw a 100 Mbps port saturated. Upon > investigation the traffic appears to be DNS responses to requests that were > never made. > > Over the following 5 minutes, we saw over 600,000 UDP DNS responses > originating from 20 different DNS servers. The servers all seem to be > genuine, authoritative servers. > > They were all targeted at a single server our side and the destination ports > on the targeted system included nearly pretty much the whole range. > > Is this a known DDoS attack, it's a new one on me? Any suggestions on how to > deal it? This sounds like a DNS reflection attack. We see them daily in $dayjob, they've become more common over the past 6 months or so. The attacker is generating DNS queries (usually for something with a chunky response like isc.org or ripe.net) using the victim's IP address as the source address. Mitigation is generally via ACLs on your router or upstream (given that your port is saturated), or by enlisting a DDoS mitigation company like $dayjob. -Ronan ($dayjob = Prolexic)
