Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: DNS requests from 209.67.50.203 (fwd)
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: DNS requests from 209.67.50.203 (fwd)
  • From: Joe Matusiewicz <[EMAIL PROTECTED]>
  • Date: Wed, 10 Jan 2001 19:09:56 +0100
  • In-reply-to: <[EMAIL PROTECTED] et>
.
 
 From where I sit, I'm still seeing DNS MX lookups with the spoofed source
address of 209.67.50.203.  Until the real source can be shut off, I'm
afraid this will continue.  People reading this list may want to check and
make sure that these packets are not originating from their networks.  This
attack seems similar to the one mentioned in the following CERT advisory:

http://www.cert.org/incident_notes/IN-2000-04.html


-- Joe



At 08:41 PM 1/9/01, Joe Shaw wrote:
>The following came across the NANOG list today.  Anyone else experiencing
>this?  I have not seen mention of this specific attack previously, but
>realize that I may have overlooked it.
>
>Regards,
>--
>Joseph W. Shaw
>Sr. Network Security Specialist for Big Company not to be named.
>I have public opinions, and they have public relations.
>
>---------- Forwarded message ----------
>Date: Tue, 09 Jan 2001 19:24:39 -0500
>From: Steven M. Bellovin <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: Re: DNS requests from 209.67.50.203
>
>
>In message <[EMAIL PROTECTED]>, John Kristoff writes:
> >
> >I'm surprised this hasn't come up in NANOG yet...
> >
> >On a university list many sites are reporting large amounts of traffic
> >appearing to come from 209.67.50.203 to their DNS servers.  The
> >administrator of the source IP (spoofed of course) is the victim of a
> >brutal DoS attack.  The traffic is UDP/DNS queries that are appear to be
> >going directly to available DNS servers (as opposed to random hosts).
> >Most sites are reporting on the order of 6 or more packets per second to
> >their DNS servers.  The victim has apparently seen upwards of 90 Mb/s of
> >traffic coming back in to them.  Does anyone here have anymore
> >information on this attack?
>
>Yes, it's a DDoS attack, of the type that Vern Paxson has dubbed
>"refletor attacks".  You send a forged DNS query to a DNS server; it
>sends its reply to the victim.  Then you have lots of hosts around the
>net doing this, but banging on different DNS servers.
>
>
>
>                 --Steve Bellovin
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.