DNS queries for “.”

As described by the Internet Storm Center in the last Sunday diary, my name server was also hit by this attack today.

380000 queries for “.” where sent to bind. For those who’re not experienced with the DNS protocol, querying for a dot (“.”), ask the name server to answer the list of the root servers. In terms of resources, the attacker send a small UDP packet (45 bytes) and the name server send back a packet of size multiplicated by at least 10! As packets were spoofed, this a perfect example of DDoS!

Here is a list of targetted IP addresses:

63.217.28.226
66.230.160.1
66.230.128.15 
69.50.142.11
69.50.142.110
76.9.16.171
76.9.31.42
216.201.82.19

The solution was to blacklist those addresses at firewall level.

Check out the ISC report: http://isc.sans.org/diary.html?storyid=5713″.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.