North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS requests from

  • From: Matthew Zito (by way of Matthew Zito <[email protected]>)
  • Date: Tue Jan 09 22:58:33 2001


On Tue, 09 Jan 2001, you wrote:
> I'm surprised this hasn't come up in NANOG yet...
> On a university list many sites are reporting large amounts of traffic
> appearing to come from to their DNS servers.  The
> administrator of the source IP (spoofed of course) is the victim of a
> brutal DoS attack.  The traffic is UDP/DNS queries that are appear to be
> going directly to available DNS servers (as opposed to random hosts).
> Most sites are reporting on the order of 6 or more packets per second to
> their DNS servers.  The victim has apparently seen upwards of 90 Mb/s of
> traffic coming back in to them.  Does anyone here have anymore
> information on this attack?

Hello all, is one of our ('s) ip addresses.  On January 4 at
approximately 5:30 pm was attacked by the large-scale DNS attack
described above.  The nature of the attack itself is explained in detail in
CERT Incident Notes 2000-04, available at:

At its peak, the attack significantly increased the amount of incoming
traffic from our providers. Within a short time we had blocked the attack at
our border routers, and by evening of the next day our  upstreams had blocked
it also.  While the attack is still continuing, the impact on our upstreams
has decreased, mostly due to individual ISPs who started access-listing off
the incoming spoofed packets.  Although we are not  currently being
negatively affected by the attack, the annoyance level is significant enough
that the FBI has been notified - meanwhile, we are focusing  our energies on
1) notifying as many of the parties that are being used as  "amplifiers" as
possible and 2) asking them to contact their upstreams to try
to trace back the traffic to a provider.

We are trying to compile a listing of all the DNS servers being used as
amplifiers - unfortunately, trying to create such a list is tough to do,
given the distribution of the attack.

The specifics of the attack are a source address of
(, a udp destination port of 53.  The
dns requests themselves are MX record requests for - it looks like a
25 byte dns request yields a 500 byte response, which is not a bad ROI.

If anyone is concerned about whether or not they are being used as an
amplifier, they can place access-lists on their routers to block packets with
the above criteria without denying any normal services - there is no reason
for that ip address to be making DNS requests.

For anyone who is being used as an amplifier, we would ask that you contact
your upstreams and ask them to initiate a traceback, or contact me directly:

Matthew Zito
Systems Engineer
Ph: 212-798-9205
[email protected]

If anyone has any useful information or questions, please feel free to
contact me.  We will also be sure to notify this list as pertinent
information arises.  Thanks to everyone on and off this list who has been
helping us over the last few days - we all appreciate it.  All correspondence
will be kept in strict confidence.

Thanks again,
Matt Zito

- --
Matthew J. Zito
Systems Engineer, Inc., 11th Floor, 575 8th Avenue, New York, NY 10018
Ph: 212-798-9205
PGP Key Fingerprint: 4E AC E1 0B BE DD 7D BC  D2 06 B2 B0 BF 55 68 99

Version: PGP 6.5.1i


Matthew J. Zito
Systems Engineer, Inc., 11th Floor, 575 8th Avenue, New York, NY 10018
Ph: 212-798-9205
PGP Key Fingerprint: 4E AC E1 0B BE DD 7D BC  D2 06 B2 B0 BF 55 68 99