Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Packets wanted, DNS DDOS attacks SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Packets wanted, DNS DDOS attacks

Jim posted earlier in the week (https://isc.sans.edu/diary.html?storyid=13387) regarding a bind 9 vulnerability.  Whilst possibly unrelated we've had a report regarding a few million DNS responses with static IDs being sent to an organisation.

If you have something similar happening and you are in a position to capture some packets we'd appreciate it if you could upload some for us to have a look at.  Especially of they all have the same ID number.  

Mark  

Mark

391 Posts
ISC Handler
This doesn't sound like an exploit for CVE-2012-1667 at all. More likely it is the victim end of some variant of the DDoS
amplification attack described at https://isc.sans.edu/diary/DNS+ANY+Request+Cannon+-+Need+More+Packets/13261
Anonymous

Sign Up for Free or Log In to start participating in the conversation!