Network Operators Discuss Reflective DDoS Attacks

Malware sends TXT and ANY queries to slow down DNS Servers

Shortly before February 24, 2006, Paul at Covad posted a message to the North American Network Operators Group's bulletin boards (NANOG) reporting a deluge of DNS requests for "ANY ANY" records of x.p.ctrc.cc.

The DNS requests came from thousands of distributed sources and the p.ctrc.cc server seemed to have been hijacked. The malware asking for a lookup on this name was running very fast. Some addresses made more than 250,000 requests for the same server name in only a few minutes.

Blogs on the subject indicated that simply replying with an authoritative zone for p.ctrc.cc in the nameservers to return a response for the lookups would not stop the attack. Such attempts to provide a response to the lookup had failed and the hosts continued sending new requests.

In this flood attack, all hosts started at the same time, putting a huge load on the nameservers. Other members of NANOG confirmed having experienced this same "reflected flood attack" hitting their DNS servers as well, including some Country-Code Top-Level Domain (ccTLD) servers.

One Network Engineer from ISDN reported a similar attack in the same month where TXT and ANY queries for this zone were used in a multi-gigabit, reflected DNS DDoS attack against ISDN.

Source: NANOG Archive

About Secure64 Software Corporation
Secure64® is a software developer providing highly secure DNS and server applications with built-in denial-of-service protection features to help ensure your Internet-dependent business is always accessible. Based on the genuinely secure SourceT® microOS, Secure64 DNS remains highly available during network attacks and is immune to compromise from rootkits and malware.

DNS Security News Index