[Emerging-Sigs] Dns ddos

Martin Holste mcholste at gmail.com
Wed Oct 26 09:41:42 EDT 2011


Were the sources all in the same /16?  It's possible they were trying
to flood someone else using the ICMP admin-prohibited bounces from the
firewalls in orgs like yours.

On Wed, Oct 26, 2011 at 8:12 AM, Brandon Kendall
<brandon.kendall at gmail.com> wrote:
> My company had a DDoS the other morning that seemed a little odd - packets
> were UDP with both the source and destination port 53. The target IP wasn't
> running DNS so the firewall blocked all of the attempts, but it still
> managed to saturate a 500 mb internet link. Firewall logs show about 63,000
> sources, in a fairly sequential order, leading us to believe they are
> spoofed.
>
> Unfortunately I wasn't able to capture any of the packets.
>
> Has anyone else seen activity like this lately?
>
> Thanks!
>
> Sent from my Android device.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>


More information about the Emerging-sigs mailing list