[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Strange attack attempt
Last sunday around 15:00 GMT+2 I started recieving hundreds of A6
requests per second to my dns server. The logs from tcpdump look like
# tcpdump -n -i ne4
15:24:46.270133 126.96.36.199.1055 > 188.8.131.52.53: 35480 A6?
15:24:46.273419 184.108.40.206.1055 > 220.127.116.11.53: 56458 A6?
15:24:46.278282 18.104.22.168.1055 > 22.214.171.124.53: 39876 A6?
After a while I started getting the same requests from another box
in the same /16, but with source port 53. I quickly set up a pf rule to
block them but they kept flooding the box for about 3 hours.
Now, the questions:
Has any of you ever seen this kind of flood before?
Could it be some badly configured software? (Don't think so, but you
never now with Windows stuff)
What measures do you guys usually take in cases like this one? I
whois'ed the IP address, which seems to belong to Coimbra University in
Portugal, and e-mailed the person in charge about the incident. Being UDP
packets they could have been spoofed, of course.
Miguel Mendez <email@example.com>