[Emerging-Sigs] Dns ddos
mcholste at gmail.com
Wed Oct 26 09:41:42 EDT 2011
Were the sources all in the same /16? It's possible they were trying
to flood someone else using the ICMP admin-prohibited bounces from the
firewalls in orgs like yours.
On Wed, Oct 26, 2011 at 8:12 AM, Brandon Kendall
<brandon.kendall at gmail.com> wrote:
> My company had a DDoS the other morning that seemed a little odd - packets
> were UDP with both the source and destination port 53. The target IP wasn't
> running DNS so the firewall blocked all of the attempts, but it still
> managed to saturate a 500 mb internet link. Firewall logs show about 63,000
> sources, in a fairly sequential order, leading us to believe they are
> Unfortunately I wasn't able to capture any of the packets.
> Has anyone else seen activity like this lately?
> Sent from my Android device.
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
More information about the Emerging-sigs