Spoofed DNS traffic is an observation traffic from Black Lotus Communications’s IP with source port 53.This traffic indicates backscatter from an attack on Black Lotus’s customers.In other words, some of the IP addresses are being spoofed by the attacker for DNS reflection attack on TCP port 53 (DNS)
Backscatter is a side-effect of a spoofed denial of service (DoS) attack where the attacker spoofs the source address in IP packets sent to the victim in order for the victim to responds to the spoofed packets where these response packets are known as backscatter. The backscatter response packets from the victim will be sent back to the spoofed destination.
A DDoS mitigation services provider will need to validate the real source of the DNS reflection attack by responding to the spoofed packets.This explained the appearance of IP(s) from Black Lotus Communications with source port 53.
Block Black Lotus Communications IP(s):
- 220.127.116.11 – 18.104.22.168
- 22.214.171.124 – 126.96.36.199
Configuring Unicast Reverse Path Forwarding (URPF) on network routers to prevent IP address spoofing.