Time: January 9, 2012

Main content:

Sebastian Wiesinger from Germany found a lot of DNS query requests of ANY type for the domain name isc.org, and suspected that this was a DDoS attack against isc.org. The Top 10 clients for this query in the previous 24 hours are as follows:

69.4.233.53　　　　 2476

76.10.210.231　　 2120

212.7.194.14　　　 1301

176.31.235.155　 926

68.68.27.29　　　　 534

174.127.73.147　 457

78.159.111.189　　232

174.127.88.134　 143

69.4.230.111　　　　95

46.105.9.242　　　 79

Paul J. Smith added most of these IP addresses are APNIC blocks, and quite a few providers have been seeing this traffic for a month or so now. They are making ANY requests for large numbers of domains at a great rate. If such abnormal traffic was an attempted magnified DoS attack, then the above IP addresses were the targets of the attack.

Although the IP address filtering mechanism BCP38 was launched more than ten years ago, this incident shows that now the deployment of this mechanism is still not satisfactory.