First page Back Continue Last page Overview Graphics
Reflector Attacks
Repeated trivial queries of our DNS servers
Approximately 13,500 queries in 15 minutes from one source
Divided fairly evenly among our 3 DNS servers
Roughly 4.8 queries a second per DNS server
Notes:
On January 11, 2002 our three DNS servers appeared to be quite busy answering rounds of apparently trivial and repetitive queries coming at a very high rate. For example, between 8:44:29 and 9:00:01 26,699 packets were exchanged between our DNS servers and 216.91.223.97. 13,494 inbound packets to UDP port 53 of the following hosts (the number of packets to each host is also listed):
Host Number of inbound packets to port 53
mydns1.com 4502
mydns2.com 4534
mydns3.com 4458
This corresponds to about 4.8 queries per second per DNS server. That is most likely not be enough to do a DoS. Examining this information in isolation, it appears that our DNS servers may have been the target of some kind of malicious activity. But, were they the actual targets or were they some kind of reflector or facilitator of a successful DoS against the host that purported to be doing the querying?