Someone from ISC contacted me a couple days ago regarding the ongoing DRDoS attack one of my client's DNS servers has been involved in for months, see the comments section of ISC.org DRDoS Update 2: Problems with .nl Netherlands TLD. I was quite surprised to hear from them and now wonder if perhaps the more responsible thing to do would have been to contact them from the outset. At any rate I dropped the netfilter rules very briefly this morning to obtain a fresh sample of packets. Naturally, my client was not entirely thrilled with the idea. Here's the nice letter I sent them:
I was pleasantly surprised to see someone from ISC asking for
information pertaining to an ongoing DRDoS attack against one of my
client's servers at
I will be happy to provide you with what I know, sample packet data
and cooperation in implementing and testing suggestions.
I think I am looking at a (D)RDoS that is using spoofed ARP-based ANY
queries for isc.org with the intent to obfuscate its source and
amplify its payload. The following series of links more or less
documents the evolution of my theory and how I have tried to contain
Please find attached a libpcap formatted file with fresh packets
sampled this morning (the filter was adjusted to only record ANY
transactions). Please remove any identifying marks from the packets if
you distribute them.
It may be noteworthy that the bursts of traffic seem to be focused on
the daytime (EST) hours and generally dwindle down at night.
Hopefully this has helped, please do not hesitate to get in touch with
me if I can be of further service.
It would be fantastic if the whiz kids over there could come up with a better idea of dealing with this! Fingers crossed. =)