[llasram]

I bet the observed "random" source addresses are open recursive DNS servers. For this kind of attack they provide essentially free traffic-washing for whatever actual traffic-generation mechanism the attackers have.

[majke]

Nope.

The open recursive DNS servers, are real DNS servers, with caching and backoff logic. If, say, there are 94k [1] open DNS resolvers in the wild, each will ask you one DNS question for example.com, cache the answer and that's it.

The big volume for the "fixed domain" queries indicates proper BCP-38 spoofing.

[1] http://public-dns.tk/

[theanomaly]

The trick is to request random top-level domains, where each request will necessarily trigger a lookup to the root.

Further, recent research has shown the number of open DNS resolvers to be in the range of 15-30 million[1].

Since the article describes a single domain name was used in the attack however, that's not what happened here.

[1] http://icir.net/mallman/papers/dns-probe-meth-imc13.pdf

[llasram]

Unless the attacker controlled the domain TTL, maybe? But good point -- I was thinking of a similar attack using random domains.

[majke]

Open recursors asking for random subdomains can generate bigger volume of attack, but still, they are smart and will fall back if the server is overwhelmed.

Even if you're assuming 100 qps from each of the 94k recursors, that's only 9.4M qps. And most of the recursors will notice lack of answer and will slow down / stop the queries. In practice random subdomain attacks rarely generate more than a million qps (YMMV, there are exceptions, technical nitpics, etc).