Massive DNS Amplification Attack Directed at Delta-Bank Ukraine

I don’t normally report on every DNS anomaly that I see but today I noticed that we are┬áseeing massive amounts of DNS traffic directed at More information regarding this IP address can be found here. I noticed this attack initially earlier today while doing some routine Wireshark analysis. I noted a large number of DNS seemingly originating from requesting ANY information for These queries initially were coming in at about 20-30 per minute. After several hours, these queries ramped up to more than 1000 per minute against a single DNS server. In this case, the source IP address is forged and is actually the IP address of the target victim.

We have rules in place that limit inbound DNS traffic and therefore were not really impacted by the traffic increase. Here is a snapshot of an hour’s worth of traffic indicating the number of DNS requests per minute over that time frame.


DNS Amplification Attack data 12-09-2014

DNS Amplification Attack data 12-09-2014


If you noticed any Internet issues today, it was likely due to slower DNS resolution due to the massive number of DNS requests generated for this attack. If you run any sort of DNS cache server, you should drop all ANY queries for As of 11:25 PM GMT, this attack is still in full swing.

Leave a Reply

Your email address will not be published. Required fields are marked *