cancel
Showing results for 
Search instead for 
Did you mean: 

DNS "attack"

sgraham
Newbie
Posts: 3
Registered: 17-12-2008

DNS "attack"

For the last couple of days, I've been seeing a lot of UDP packets originating on port 53 hitting my IP address. Because of the port number, I'm guessing that they are DNS replies which are responding to spoofed requests.
That's a well-known mechanism for a denial-of-service attack (look up "DNS Amplification") but in this case there are only 20 or so per minute, hardly a brutal attack.
I've just checked the Plusnet firewall to see if there was any way to filter, but it seems not. I suppose that was optimistic anyway, since the firewall would have to be able to distinguish unsolicited DNS replies from real ones.
I'm not being inconvenienced by this at all, but I was wondering if it's happening widely. Anyone else seeing it?
2 REPLIES
Community Veteran
Posts: 5,094
Thanks: 454
Fixes: 17
Registered: 10-06-2010

Re: DNS "attack"

Are you sure they're not just DNS answers arriving too late? That makes no sense.
No I haven't noticed anything, although I had stopped recording stats and log messages for most of this week until yesterday.
bradw
Grafter
Posts: 105
Registered: 21-05-2013

Re: DNS "attack"

Not seeing anything on my end, perhaps provide some of the IPs and it can be looked in to. Should be easy enough to check if there's a vulnerable DNS server running.