[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

really nasty attacks

Subject: really nasty attacks
From: patrick at ianai.net (Patrick W. Gilmore)
Date: Thu, 27 Sep 2012 12:12:50 -0400
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>

On Sep 27, 2012, at 11:34 , Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Thu, Sep 27, 2012 at 08:55:58AM -0600, Miguel Mata <mmata at intercom.com.sv> wrote 
> a message of 30 lines which said:
> 
>> Guys,
> 
> No gals on NANOG?

Many.  Although in fairness, some people use "guys" in a gender-neutral manner.


>> The attacks comes from various sites from the other side of the pond
>> (46.165.197.xx, 213.152.180.yy).
> 
> How can you be sure? With UDP, you have zero guarantee on the source
> IP address. (Checking the TTL can give you a hint if the packets
> really come from the same point.)
> 
> Source and destination port? If source port is 53, it may means you're
> the target of a DNS reflection+amplification attack, a la CloudFlare
> <http://blog.cloudflare.com/65gbps-ddos-no-problem>.

I do not know of any name servers that reply to queries with UDP packets filled with only the letter X.  The DNS Headers alone require more than the letter "X".

-- 
TTFN,
patrick

Follow-Ups:
- really nasty attacks
  - From: jim at reptiles.org (Jim Mercer)
- really nasty attacks
  - From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
- really nasty attacks
  - From: james.cutler at consultant.com (Cutler James R)

References:
- really nasty attacks
  - From: mmata at intercom.com.sv (Miguel Mata)
- really nasty attacks
  - From: bortzmeyer at nic.fr (Stephane Bortzmeyer)

Prev by Date: Verizon IPv6 LTE
Next by Date: really nasty attacks
Previous by thread: really nasty attacks
Next by thread: really nasty attacks
Index(es):
- Date
- Thread