* Piotr Kamisiski: > 23:05:40.241026 IP 204.92.73.10.40760 > xx.xx.xx.xx.53: 38545+ [1au] ANY ANY? e.mpisi.com. (40) 204.92.73.10 is one of the IP addresses for irc.efnet.ca. Someone is spoofing the source addresses, in the hope that DNS servers will return a large record set. Could you check if the packets contain OPT records (e.g. using "tcpdump -s 0 -v")? This protocol extension is described in the RFC for ENDS0 (RFC 2671). EDNS0-capable DNS resolvers can send fragmented UDP packets, exceeding the traditional 512 byte limit of DNS UDP replies. The BIND 9 default maximum response size is 4096, for example. If the spoofed requests contain OPT records , you typically get an amplification factor of about 60 in terms of bandwidth, and 5 in terms of packet rate, but actual numbers may vary. Yet another reason to restrict access to your recursive resolvers to customers only.
