[Pdns-users] DNS amplification attack advice

Peter Gervai grinapo+pdnsdevel at gmail.com
Wed May 30 11:59:53 UTC 2012

On Wed, May 30, 2012 at 11:12 AM, kalpesh thaker
<kalpesh at webdevworld.com> wrote:
> according to tcpdump -vn, the connections were mostly TCP.. however there
> were alot of repetitive incoming UDP packets coming in during the early
> stages, for authoritative domains on our NS querying TXT RR's. This is why i
> suspected amplification as being possible in this DOS attack. Immediately

Sorry for stating the obvious but often what looks like a DoS attack
is just business as usual: if your subnet have a few trojanised
spambots and you host your own revdns then mailservers may request
revdns entries in cohorts, for example. Resolving TXT entries may be a
collateral to look up abuse contacts en masse for example. Maybe not,
but I've seen many DNS "DoS" which was a result of a couple of
virus-ridden windoze systems on local subnets.

As a sidenote I wondered what amount of traffic it was since pdns
supposed to be able to handle quite an amount of requests per second
and shouldn't choke easily.


More information about the Pdns-users mailing list