September 15th, 2013, 02:42 PM
We are receiving what looks like DNS Amplification attacks to our DNS server, but there is no amplification. It started on Sept 11 with A record requests for a.packetdevil.com from a number of different source addresses (probably spoofed). On Sept 14, it switched to an A-record request for aa.asd3sc.com from a single source address. Our server blocked that address when it exceeded the rate limit we have set. So then it rotated to the same requests from different source addresses for a single C class range. We manually blocked the entire range. From there it reverted back to single source addresses that got rate blocked by our server. As an example, this morning over a period of about 6 hours, we received 67,746 requests for this domain.
Our server doesn't offer Recursion, and therefore there is no amplification. These attacks are not causing any problems, other than filling up our log files. Does anyone know what is going on?