As described by the Internet Storm Center in the last Sunday diary, my name server was also hit by this attack today.
380000 queries for “.” where sent to bind. For those who’re not experienced with the DNS protocol, querying for a dot (“.”), ask the name server to answer the list of the root servers. In terms of resources, the attacker send a small UDP packet (45 bytes) and the name server send back a packet of size multiplicated by at least 10! As packets were spoofed, this a perfect example of DDoS!
Here is a list of targetted IP addresses:
63.217.28.226 66.230.160.1 66.230.128.15 69.50.142.11 69.50.142.110 76.9.16.171 76.9.31.42 216.201.82.19
The solution was to blacklist those addresses at firewall level.
Check out the ISC report: http://isc.sans.org/diary.html?storyid=5713″.