First page Back Continue Last page Overview Graphics
Who is the Victim?
Notes:
While we have no way to confirm this, is it possible that our DNS servers were used as reflector or amplification hosts, much like the Smurf attack used intermediate sites to amplify the volume of traffic to a target host or network? It is possible that the 216.91.223.97 host was the victim DNS server and that someone had spoofed it as the source IP number. And, perhaps we were just one of many sites that were used to amplify the traffic.
This is effective because many sites will not notice this reflector traffic unless they scrutinize it very carefully. So, it stays under the radar for the reflector sites, but the traffic in aggregate especially after amplified, may overwhelm or cause a DoS for the target site.
In fact, on this very same day (January 11, 2002), Steve Gibson noticed a denial of service attack against his site (grc.com) that he dubbed the “Packet Bounce Attack DoS”. He noticed unsolicited replies for BGP port 179, secure shell port 22, DNS, telnet and HTTP. He described the activity as coming from many different sources such as has been posited in the above scenario.
See http://grc.com/dos/packetbounce.htm for more information on the Packet Bounce Attack.
Many thanks for Vern Stark of Johns Hopkins University Applied Physics Lab for detecting and analyzing this attack.