0

I've been getting a large number (150,000/day) of DNS quereis in the form of A record searches to IP addresses (i.e. 192.1.2.3.domain.org).

My best guess is this should be considered a UDP Flood Attack. Can anyone confirm if this is accurate or not?

2
Contributors
3
Replies
4
Views
7 Years
Discussion Span
Last Post by sknake
0

Are you getting the requests over UDP or TCP? DNS uses both protocols.. Upload your network traffic capture for the DNS, its really hard to say without taking a look. You can use wireshark or tcpdump to generate a pcap file.

0

Are you getting the requests over UDP or TCP? DNS uses both protocols.. Upload your network traffic capture for the DNS, its really hard to say without taking a look. You can use wireshark or tcpdump to generate a pcap file.

sknake,

It's all UDP queries. The info block of Wireshark comes across as :
Standard query A 123.45.67.89.domain.org

With the IP address always being a random IP address and the domain being our domain.

I can try and get a copy of the PCAP file sent to me, but probably not till after New Years.

I'm trying to get a feel of accuracy if I report that 150,000 DNS queries that are malformed should be considered a Denial of Service attack and if its appropriate to list it as a UDP flood attack.

0

There is a lot more information in wireshark than just the DNS query so it would be helpful to have the pcap logs to analyze the traffic. With UDP you can "spoof" the sender since it is a stateless protocol and the advantage of doing that is you can force the server to send a response out eating up more bandwidth than just hammering it with queries. It sounds like a denial of service attack and is a UDP attack as well. There are many forms of UDP attacks, DNS attacks being one. I'm not sure the classification of what kind of attack it is matters as much as getting the traffic blocked. You can likely adjust settings on your router or DNS server to minimize the effects of the attack until you can contact your upstream provider and have them trace the traffic back and block it.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.